Skillv1.0.0

ClawScan security

Code Review Inspector · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 30, 2026, 8:51 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requirements and runtime instructions are coherent with a code-review assistant: it needs git, reads repository diffs/files, and makes no unexpected install or credential requests.
Guidance: This skill is internally consistent with its purpose, but before installing consider: 1) it will read your repository files and git history (so avoid running it on repos containing secrets or private keys you don't want scanned or sent to an LLM), 2) because it's instruction-only the actual analysis will be performed by your agent/model — understand your LLM provider's data handling/privacy policies (code sent to the model may leave your environment), and 3) if you need on-host-only analysis, prefer a skill or tool that runs local, audited analyzers rather than sending code to external services. If you want extra assurance, review the full SKILL.md and CODE_REVIEW_CHECKLIST.md locally and run the skill first on a non-sensitive test repo.

Purpose & Capability: okName/description (automated code review) match the declared requirements: only 'git' is required and there are no unrelated environment variables or config paths. The skill's stated capabilities (analyzing diffs, building ASTs, checking security/performance/style) are consistent with a code review tool.
Instruction Scope: noteSKILL.md instructs the agent to read git diffs and specified files and to analyze repository code deeply (ASTs, secret detection). This is expected for a code-review skill, but it implies broad access to the repository contents and history — including any secrets or private files present in the repo. The instructions do not reference reading system-wide files or environment variables beyond repo data.
Install Mechanism: okNo install spec and no code files beyond documentation; this is instruction-only and does not download or write executables to disk, which reduces install risk.
Credentials: okThe skill requests no environment variables or credentials. That is proportionate: a static analysis/code-review assistant does not inherently require external service credentials. If you plan to use it with external analyzers, those would be separate and should be evaluated separately.
Persistence & Privilege: okalways:false and normal agent invocation are used. The skill does not request persistent system-level presence or modify other skills. Autonomous invocation is allowed (default) but not elevated by this skill.