ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

golang-code-review

v1.0.0

Provides comprehensive Golang code reviews for Git merge commits, checking format, quality, best practices, security, and generating detailed Markdown reports.

0· 160·1 current·1 all-time
by@knifean
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The description promises comprehensive reviews for Git merge commits using tools like gofmt, goimports, staticcheck and errcheck. The SKILL.md recommends those tools, but the bundled index.go does not call any external analyzers or interact with Git — it only reads a single file path passed as an argument and runs a few simple string/regex checks. That is a functional mismatch: the skill does not actually implement the heavy-weight static analysis or commit/diff awareness its description advertises.
Instruction Scope
SKILL.md's runtime instructions are limited to recommending installing go static analysis tools and showing a Git hook example; it does not instruct the agent to read unrelated system files, exfiltrate data, or contact external endpoints. However, the instructions assume use of external tools that the code does not invoke, leaving scope ambiguous (user or agent must run those tools separately).
Install Mechanism
There is no install spec (instruction-only). SKILL.md suggests go install commands for common linters — this is normal and lower risk than an automatic remote download/extract. No URLs, no extracted archives, and no package installs performed by the skill itself.
Credentials
The skill does not request any environment variables, credentials, or config paths. SKILL.md and code do not access secrets or other unrelated environment state. Requested permissions are proportional (none).
Persistence & Privilege
The skill is not always-enabled and has no install-time persistence. It does not modify other skills or agent-wide settings. Autonomous invocation is allowed (platform default) but not combined with other high-risk behaviors here.
What to consider before installing
This skill is not clearly what it claims: the description promises full, commit-aware static analysis but the included program only performs simple, file-level, line-based heuristics and doesn't call staticcheck/errcheck or inspect Git diffs. That likely means it's incomplete or misleading rather than malicious, but you should not rely on it for security reviews. Before installing or using it: - Treat it as untrusted/experimental: run it on non-sensitive code and inspect outputs first. - If you need true static analysis, prefer tools that explicitly invoke and return results from staticcheck/errcheck/gofmt, or add code to this skill to call those tools and handle their outputs. - Be aware the report logic is buggy (many rules are unimplemented and may produce empty/incorrect issue entries); review index.go or test it locally. - Confirm whether you (or the agent) will run the external linters the SKILL.md recommends — the skill does not run them itself. If you want to change this assessment, provide updated code that actually invokes the declared linters or processes Git diffs/merge commits, or a clear rationale why file-level checks meet the stated merge-review purpose.

Like a lobster shell, security has layers — review code before you run it.

latestvk979kmrkx4pkdqn7wvnrpq2kg5832h8j

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments