ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

OpenClaw Refactoring

v1.1.0

Automated refactoring assistant. Performs safe code transformations including rename, extract method, inline variable, and move code. Provides refactoring su...

0· 35·0 current·0 all-time
by@michealxie001
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The name/description match the shipped code for Python renames and suggestions. However SKILL.md lists additional modules (extract.py, utils.py) that are not present in the file manifest; the roadmap also marks many features unimplemented. This mismatch suggests the documentation overclaims features or files were omitted from the package.
!
Instruction Scope
Runtime instructions are primarily local CLI operations (preview, backup, undo) which is appropriate. However suggest.py attempts to import a C parser from a sibling 'c-support/lib' outside the skill directory (Path(__file__).parent.parent.parent / 'c-support' / 'lib'), which means the skill will try to load code from nearby filesystem locations not declared in the manifest. SKILL.md also instructs use of git stash/commit (which can modify the repo); while the tool itself doesn't appear to run git automatically, users following the instructions will alter their repositories. No network calls or credential access are present.
Install Mechanism
No install spec; this is instruction+script only and doesn't download or execute remote archives. That's low-risk from an installation perspective.
Credentials
The skill declares no required environment variables, no credentials, and no config paths. The code likewise does not request secrets or network credentials. It writes backups under the project (.refactoring/backup) which is proportionate to its function.
Persistence & Privilege
The skill is not force-enabled (always:false) and does not modify other skills or global agent settings. It creates local backups and can undo changes; those are normal for a refactoring tool.
What to consider before installing
This package appears to be a local refactoring tool for Python that creates backups and edits files. Before installing/using it: 1) Note that SKILL.md references files (extract.py, utils.py) that are missing — some advertised features may be unimplemented. 2) The suggestion engine will try to load a C parser from a sibling 'c-support/lib' directory on disk — check where that would point in your environment so it doesn't unexpectedly import unrelated code. 3) Always run with --dry-run first and use a Git repo (or a copy of your project) so you can inspect changes and backups under .refactoring/backup. 4) Inspect the actual scripts in this package before running them on important repositories. If you need the (claimed) C/C++ support, obtain and inspect the c-support dependency from a trusted source; do not rely on implicit imports from arbitrary sibling directories. If you want a cleaner install surface, prefer a packaged tool (pip/brew) from a trusted registry or run this in an isolated environment.

Like a lobster shell, security has layers — review code before you run it.

latestvk970m85d7vmsr439bwekw1jx5s843nt3

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments