Code Review
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This skill appears to do what it claims: send user-selected code to LogicArt for code review, but users should remember that submitted code leaves their machine.
This skill is reasonable for code review, but treat it like any cloud-based analysis tool: do not submit secrets, credentials, unreleased proprietary code, or customer data unless you trust LogicArt’s handling of that information.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
66/66 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Private or proprietary code, including accidentally embedded secrets, may be sent to LogicArt for analysis.
The script sends the provided code or selected file contents to an external provider API. This is disclosed and purpose-aligned, but it creates a third-party data-sharing boundary.
const API = 'https://logic.art/api/agent/analyze'; ... body: JSON.stringify({ code, language: language || 'unknown' })Only analyze code you are comfortable sharing with the external service, and remove secrets or sensitive data before submission.
The skill may not work in environments without Node, and the runtime requirement is less explicit than ideal.
The SKILL.md examples invoke `node {baseDir}/scripts/analyze.mjs`, but the metadata does not declare Node as a required binary. This is a minor metadata/provenance gap rather than evidence of unsafe behavior.
Required binaries (all must exist): none ... No install spec — this is an instruction-only skill.
Install or verify Node before use, and prefer packages that clearly declare their runtime requirements.