code-reviewer
Security checks across malware telemetry and agentic risk
Overview
The skill is mostly a code-review guide, but it also asks for broad team/repository metrics using local repo paths and token-protected PR APIs that go beyond normal Go code review.
Install only if you want both code review and the included team-metrics behavior. Before use, restrict it to the repo you choose, avoid giving broad access tokens, and approve any test execution or PR-metrics collection explicitly.
VirusTotal
41/41 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may request or use a project access token and retrieve organization PR/review metrics that are not needed for ordinary code review.
The skill tells the agent to use token-protected PR review statistics APIs, while the registry declares no credentials and the main purpose is code review.
认证方式: Bearer Token ... 需要有效的访问令牌(Access Token)
Only use this part if you intentionally want team metrics; require a least-privilege read-only token, explicit user approval, and a clearly scoped project and time range.
If those paths exist, the agent could inspect unrelated local corporate repositories and team activity as part of a code-review workflow.
The rule directs evaluation across multiple hard-coded local repositories rather than a user-selected project, broadening local data access.
评估团队代码仓库本地地址 C:\yanfayun\gpc-srv C:\yanfayun\gpc-provider-orchestrator ... C:\yanfayun\provider-srv
Remove hard-coded repository paths and require the user to explicitly choose the repository, branch, date range, and metrics to analyze.
On an untrusted PR or repository, test execution could run code you did not intend to execute.
Running Go tests is purpose-aligned for coverage analysis, but it executes code from the reviewed repository and writes coverage artifacts.
Agent MUST execute this command to generate coverage data: go test "./..." ... -json > test-report.json
Run coverage commands only with user approval, preferably in a sandbox or trusted development environment.