ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Receiving Code Review

v0.1.0

Use when receiving code review feedback, before implementing suggestions, especially if feedback seems unclear or technically questionable - requires technic...

0· 57·0 current·0 all-time
by@lovemymobilewebsite-dotcom·duplicate of @chenleiyanquan/receiving-code-review
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name and description match the SKILL.md content: the document is a step-by-step pattern for receiving and acting on code review. There are no unrelated required binaries, env vars, or installs declared.
Instruction Scope
The instructions appropriately direct the agent to read, verify against the codebase (e.g., 'grep codebase', 'check: breaks existing functionality'), and reply to reviewers (including GitHub thread guidance). These are in-scope for a code-review reception skill, but they grant the agent broad discretion to read and modify repository files and post replies. The SKILL.md also references external artifacts (e.g., 'CLAUDE.md', 'your human partner's rule') which aren't included or explained, creating ambiguity about expected behavior and policy.
Install Mechanism
No install spec and no code files — lowest-risk delivery. Nothing is written to disk by the skill itself.
!
Credentials
The SKILL.md instructs actions that commonly require credentials or platform access (replying in GitHub threads, modifying code, grepping the codebase, running tests), yet the skill declares no required env vars, tokens, or config paths. This mismatch is notable: either the skill expects the host agent to already have repository and GitHub access (reasonable), or it's relying on undocumented permissions. The skill does not request or document which credentials or scopes it will need, which reduces transparency about its runtime privileges.
Persistence & Privilege
always is false and there is no installation/persistent component. However, the SKILL.md repeatedly emphasizes 'just start working' and 'skip to action', which—combined with normal autonomous invocation—means an agent could autonomously make repo changes or post reviewer replies if the agent runtime permits these actions. Autonomous invocation itself is normal, but you should confirm the agent's runtime permissions before enabling this skill.
What to consider before installing
This skill is largely coherent: it gives a pattern for how to process code review feedback and how to push back or implement changes. Before installing, check the runtime context: will the agent have read/write access to your repository or the ability to post GitHub comments? The SKILL.md expects the agent to read/grep the codebase and reply in threads, but it does not declare any required credentials—make sure you understand and control the agent's repository and GitHub permissions. Also note minor oddities (references to external docs like CLAUDE.md and a prohibition on common polite phrases) that are unusual but not inherently malicious. If you allow this skill, consider restricting it to read-only mode or requiring explicit confirmation for any code modifications or external posts.

Like a lobster shell, security has layers — review code before you run it.

latestvk97bf9t4yp4d663j6c8tavfhx983c6sd

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments