Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
OpenClaw Refactoring
v1.0.0Automated refactoring assistant. Performs safe code transformations including rename, extract method, inline variable, and move code. Provides refactoring su...
⭐ 0· 41·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill claims multiple refactoring features (rename, extract method, inline, move, batch operations, multi-language support) in SKILL.md, but the shipped code implements primarily a Python rename engine and a suggestion engine. The SKILL.md mentions additional scripts (extract.py, utils.py) and commands (extract, inline, move, batch-move) that are not present or not implemented in scripts/main.py. This is a mismtach between advertised capability and actual implementation.
Instruction Scope
Runtime instructions are local (run python scripts against your repo), create backups under .refactoring/backup, and recommend Git integration and dry-run. Those instructions are within scope for a refactoring tool. However the docs show CLI flags and commands (e.g. --symbol/--to, extract, inline) that differ from the actual main.py interface (which uses --old-name/-o and --new-name/-n and does not implement extract/inline/move subcommands). The mismatch could lead a user to run commands that don't exist or to expect behavior not implemented.
Install Mechanism
There is no install specification (instruction-only skill with bundled scripts). Nothing is downloaded or written by an installer step beyond the included files, so install mechanism risk is low.
Credentials
The skill requires no environment variables, no credentials, and no special config paths. Its file I/O is limited to scanning and modifying files under the provided root and writing backups under .refactoring/backup, which is proportionate to a refactoring tool.
Persistence & Privilege
The skill is not always-included and doesn't request system-level privileges. It creates backups in a local .refactoring directory and can undo changes; this is expected behavior for an on-disk refactoring tool and does not modify other skills or system-wide config.
What to consider before installing
What to consider before installing/running:
- The implementation appears to provide a Python rename engine and a suggestion engine only. SKILL.md advertises many more features (extract, inline, move, batch-move, JS support) and references files (extract.py, utils.py) that are not present. Do not assume those extra features exist.
- Test on a disposable/git branch first. Always run with --dry-run (preview) and ensure Git is used (stash/commit) before executing destructive operations.
- The tool writes backups under .refactoring/backup — verify backups are created and that undo works before relying on it for large changes.
- The rename implementation uses AST plus fallback text-search and performs column-offset text substitutions; this can be brittle for edge cases (strings, generated code, complex formatting). Run your test suite after refactors.
- If you require extract/inline/move or JavaScript support, inspect the repository or contact the publisher — these features are documented but not implemented in the provided code.
- If anything in the output looks unexpected (modifications outside your intended scope), stop and restore from backup/Git. If you want higher assurance, manually review the code in scripts/rename.py and scripts/suggest.py before running.Like a lobster shell, security has layers — review code before you run it.
latestvk97652bwcyq195kfe5emp75hhd840zms
License
MIT-0
Free to use, modify, and redistribute. No attribution required.