Back to skill
Skillv1.5.1
ClawScan security
Review Orchestrator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 25, 2026, 8:55 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requirements and instructions align with its stated purpose (coordinating multi-perspective reviews); it is an instruction-only skill that reads workspace targets, spawns internal review agents, and writes results to docs/reviews/ — nothing requested is disproportionate to that goal.
- Guidance
- This skill appears internally consistent for orchestrating multi-perspective reviews. Before installing or enabling it: (1) review the two configuration files it reads (.openclaw/review-orchestrator.yaml and .claude/review-orchestrator.yaml) so you know what models/endpoints and settings will be used; (2) confirm you are comfortable with the skill reading any files you pass as review targets and writing outputs to docs/reviews/; (3) if you install the optional dependencies (failure-memory, context-verifier), audit those skills separately because they may record findings or access files; and (4) if you want to avoid automatic runs, disable autonomous invocation at the agent/platform level — the skill itself is not set to always:true but can be invoked by the agent by default.
Review Dimensions
- Purpose & Capability
- okName/description (multi-perspective review orchestration) matches what the SKILL.md describes: selecting review types, spawning review agents/modes, gating, and writing results to docs/reviews/. Declared config paths (.openclaw/... and .claude/...) and optional integration with failure-memory/context-verifier are coherent with a configurable review workflow.
- Instruction Scope
- noteInstructions are limited to review orchestration: selecting review types, reading target file paths/topics supplied by the user, spawning internal review modes, and writing outputs to docs/reviews/. However, the skill will read configuration files (.openclaw/review-orchestrator.yaml and .claude/review-orchestrator.yaml) and any workspace files supplied as review targets — review-targets can be arbitrary files in the workspace, so confirm you are comfortable with the skill reading those files. The SKILL.md explicitly says no external third-party services are called; this relies on configuration not pointing to remote endpoints.
- Install Mechanism
- okInstruction-only skill with no install spec or code files; lowest install risk. SKILL.md recommends installing separate skills (failure-memory, context-verifier) as optional dependencies — those are separate installs the user must intentionally run.
- Credentials
- noteSkill requests no environment variables or credentials. It does declare configuration files (.openclaw/... and .claude/...) which may contain user-configured model endpoints or credentials in some setups — inspect those files before enabling to ensure they don't point to remote services or contain secrets you don't want the skill to use. Dependency recommendation (failure-memory) may record observations (per SKILL.md); check that dependency's behavior if you plan to enable integration.
- Persistence & Privilege
- okalways is false and there is no install hook or code that alters other skills or global agent settings. The skill writes review results to docs/reviews/ in the workspace, which is expected and scoped to the user's project.