ClawHub
Back to skill
v1.0.0

code-reviewer

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 8:23 AM.

Analysis

This is mostly an instruction-only code review skill, but it also includes overbroad team-metrics instructions that reference specific local repositories, named contributors, and credentialed PR APIs.

GuidanceReview this skill carefully before installing. It is acceptable for Go code review and coverage analysis if scoped to your current repository, but the team-effectiveness rule should be removed or made explicitly opt-in because it references specific local repositories, named contributors, and a credentialed PR statistics API.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityMediumConfidenceHighStatusConcern
rules/team-effectiveness-metrics.md
评估团队代码仓库本地地址

 C:\yanfayun\gpc-srv
 C:\yanfayun\gpc-provider-orchestrator
 ...
**数据范围:** 本周内的所有代码提交与评审活动

The rule directs the agent toward multiple hardcoded local repositories and all weekly commit/review activity, which is broader than normal user-selected code review and lacks clear scoping or approval controls.

User impactThe agent could inspect or summarize private local repositories and team activity that the user did not intend to include in a routine code review.
RecommendationRemove hardcoded repository paths and require the user to explicitly provide the repository path, branch, date range, and consent before collecting team-level metrics.
Unexpected Code Execution
SeverityLowConfidenceHighStatusNote
rules/testing-coverage.md
Agent MUST execute this command to generate coverage data:

go test "./..." \
    -v \
    -coverprofile="coverage.out" \
    -covermode=count \
    -gcflags=-l \
    -json > test-report.json

Running Go tests is purpose-aligned for coverage analysis, but it executes project test code and writes coverage/report files.

User impactCoverage review may run code from the repository, which can have side effects if the project tests are unsafe or untrusted.
RecommendationRun coverage commands only in repositories the user trusts and after confirming the working directory and expected generated files.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityMediumConfidenceHighStatusConcern
rules/team-effectiveness-metrics.md
认证方式: Bearer Token ... 使用说明
- 需要有效的访问令牌(Access Token)

The rule introduces authenticated PR-statistics API access using a Bearer token, while the registry declares no required credentials or environment variables.

User impactInstalling users may not realize the skill can ask for or use project API credentials to retrieve review statistics.
RecommendationDeclare any required credentials in metadata, limit requested token scope to read-only PR statistics, and require explicit user approval before using authenticated APIs.