Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
code-reviewer
v1.0.0Thorough code review with focus on security, performance, and best practices for Go projects. Includes Go test coverage analysis (line/function/branch covera...
⭐ 0· 56·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (Go code review + coverage analysis) matches the content: many Go-focused rules and an explicit go test command for coverage. Minor inconsistency: several rule files contain Python/JavaScript examples and guidance (e.g., error-handling in Python, N+1 examples in Django/Sequelize). Those are plausible as cross-language guidance but slightly out-of-scope for a Go-only skill and should be noted.
Instruction Scope
SKILL.md and rules/testing-coverage.md explicitly instruct the agent to run the go test command and parse coverage.out and test-report.json — appropriate for coverage analysis. However the repo also documents a PR stats API that requires a Bearer token (and gives endpoints/examples), and a team-effectiveness file contains absolute local repo paths and named contributors. The skill does not declare or require env vars for API tokens, yet its docs assume the ability to call external PR APIs — this is a scope/expectation mismatch. Confirm whether the agent will (a) make network calls to project APIs, and (b) request or require tokens from the user before doing so.
Install Mechanism
Instruction-only skill with no install steps, no downloaded code or binaries. This is low-risk from an install/remote-code perspective.
Credentials
The skill declares no required env vars or credentials, which is consistent with being instruction-only. But documentation within the files describes calling PR stats endpoints that require a Bearer token and shows API usage requiring an access token; the skill does not declare this as a required credential. If the agent will call project APIs, requesting tokens at runtime or expecting tokens in env vars is plausible but currently undocumented — verify how auth will be provided before granting tokens. Also the presence of absolute local paths (C:\yanfayun\...) in team metrics leaks repository locations from the author environment — not a credential, but a privacy/scope concern.
Persistence & Privilege
always is false and there is no install script or code that would persist state. The skill does not request system-wide config changes or permanent presence.
What to consider before installing
This skill appears to be a legitimate Go code-review guideline set and will attempt to analyze test coverage by running 'go test' and parsing coverage.out/test-report.json. Before installing or invoking it: 1) Confirm whether you (or the agent) will need to provide API tokens for PR statistics — the docs reference a Bearer token but the skill doesn't declare any required env variables. Never paste repository or CI tokens into a tool unless you trust it and understand what calls it will make. 2) Expect the agent to run go test in the repository; run it in a sandbox or CI environment if you are concerned about side effects. 3) Review the included files yourself (they contain contributor names, Windows local paths, and multi-language examples) to ensure no surprising network calls or data exfiltration steps are hidden. 4) Ask the skill author/owner to clarify: a) whether the agent will autonomously call external PR APIs and which endpoints; b) how it requests credentials (prompt vs env var); and c) to remove or flag non-Go examples if you want Go-only guidance. If you cannot verify those, treat the skill as potentially able to make network requests and do not supply sensitive tokens.Like a lobster shell, security has layers — review code before you run it.
latestvk97f4pn7xhv9yhyp6htxbr0vnn83nadd
License
MIT-0
Free to use, modify, and redistribute. No attribution required.