Iterative Code Review
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This instruction-only code-review skill is transparent and safe by default, but enabling its optional automation can change code and run project commands without per-step prompts.
Use the default confirmation-based mode for important repositories. If you enable autoFix or autoContinue, do it on a clean branch, keep backups or rely on version control, and inspect all diffs before committing. Approve npm build/test commands only for repositories you trust or in an isolated environment.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If you enable automation, the agent may edit your repository repeatedly without asking before each fix.
The skill can be configured to automatically spawn a fixer and continue review rounds without asking at each step; this is disclosed and purpose-aligned, but it can change local code.
`autoFix` ... `发现问题后自动修复(不询问)` ... `autoContinue` ... `自动继续 review` ... 技能会**自动修改代码**而无需确认
Keep autoFix and autoContinue disabled for important projects, use a clean git branch, and review diffs before committing any generated changes.
Build or test scripts in the repository may run local code when you approve those checks.
Running build and test commands is expected for a code-review skill, and the artifact requires user confirmation, but these commands can execute scripts from the reviewed project.
TypeScript 编译通过 (`npm run build` 或 `npx tsc --noEmit`) ... 测试通过 (`npm test`) ... 编译和测试需要用户确认后才能运行
Only approve build/test execution for repositories you trust or run the review in an isolated development environment.
Proprietary or sensitive code may be processed by multiple subagent contexts during the review.
The workflow intentionally shares review context across multiple subagents and a fixer; this is central to the skill, but users should understand that code context may be handled by several agent roles.
并行 Spawn 3 个 Reviewer ... 用户确认后 Spawn Fixer
Use the skill only for code you are comfortable providing to the agent environment, and remove secrets from the review context.
Your agent may need local tools that were not surfaced as formal install requirements.
The skill documents local tool dependencies in SKILL.md, while the registry requirements section declares no required binaries; this is a metadata clarity issue, not hidden installation behavior.
Required tools: git, gh (GitHub CLI), jq, node/npm
Verify the listed tools are available and understand what commands will be run before using the workflow.