ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Code Quality Guardian

v1.0.0

代码质量检测器 - 检测代码异味、复杂度、安全漏洞、风格规范等 | Code Quality Guardian - Detect code smells, complexity, security vulnerabilities and style issues

0· 89·1 current·1 all-time
byLv Lancer@kaiyuelv
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the included code and examples: the package implements a QualityAnalyzer, CLI, reporters, and tool runners for flake8/pylint/bandit/radon. Optional JS/Go support is documented and marked as requiring Node/Go, so the declared capabilities align with the code.
Instruction Scope
SKILL.md instructs installing dependencies (pip install -r requirements.txt) and running analyses on arbitrary project paths; that is expected for this tool. Note: running the skill will read project files, invoke linters/scanners (which may run subprocesses), and write reports to disk. The instructions do not attempt to read unrelated system config or exfiltrate data to external endpoints.
Install Mechanism
There is no automatic install spec; the README/SKILL.md recommend pip install -r requirements.txt or installing the package locally. Dependencies are standard PyPI packages; no downloads from unknown URLs or archive extraction observed in the manifest.
Credentials
The skill does not require any credentials or privileged environment variables. It optionally reads QUALITY_GUARDIAN_CONFIG and other QUALITY_GUARDIAN_* env vars for configuration, which is reasonable and documented. No secrets or unrelated service tokens are requested.
Persistence & Privilege
The skill is not always-enabled and does not ask for permanent platform-level privileges. It does not modify other skills or global agent configuration. It will write reports/config files locally if you run it (normal behavior).
Assessment
This package appears to be a straightforward code-quality tool. Before installing or running it: (1) review the tool-runner modules (e.g., tools/*) if you want to confirm the exact subprocess/network behavior (they typically call linters/scanners via subprocesses); (2) run it in an isolated environment (virtualenv/container) when first using it, since it suggests installing many linting/security tools; (3) be aware it will read the files you point it at and write reports to disk (no evidence of external exfiltration in the provided files); and (4) if you plan to analyze third-party or sensitive code, audit the included code (or run offline) to ensure it meets your policies.
tests/test_quality_checker.py:94
Dynamic code execution detected.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk97cwkg6hhttr9y95x8jjcde95839z2w

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments