ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Code Assistant

v1.0.0

Asistente de programación especializado. Analiza código, encuentra bugs, sugiere optimizaciones, refactoriza y genera documentación automáticamente.

0· 975·12 current·12 all-time
byMiguel Guerra@miguelguerra200022-sudo
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The analyzer.ts implements static analysis, doc generation and simple suggestions which fit the 'code assistant' purpose. However SKILL.md advertises additional capabilities (delegation to Codex/Claude/Pi, self-repair, knowledge-base, expert-researcher, auto-fix) that are not implemented in the provided script. Also SKILL.md uses a 'code' CLI command while the repository provides scripts/analyzer.ts (no install or wrapper to expose a 'code' binary). This mismatch is likely marketing/packaging sloppiness but reduces confidence.
Instruction Scope
Runtime instructions are focused on running a local CLI to analyze project files and refer only to config env vars declared in SKILL.md. The shipped script reads arbitrary files under project directories (expected for a code analyzer). The SKILL.md's references to delegating tasks to external agents (Codex/Claude/Pi) and 'knowledge-base' searching are not backed by code; if an operator uses such delegation in practice it could expose source code to third-party APIs — the skill does not document required API credentials or safeguards.
Install Mechanism
There is no install spec (instruction-only), which is low risk. However the package includes a runnable script (scripts/analyzer.ts) but provides no install/wrapping to create the advertised 'code' command; this is a packaging inconsistency rather than an active install risk. The script itself performs only local filesystem reads and has no network calls or archive downloads.
Credentials
No required secrets or credentials are declared. The script optionally reads benign configuration environment variables (CODE_MAX_COMPLEXITY, CODE_DEFAULT_STYLE, CODE_AUTO_FIX, CODE_IGNORE_PATTERNS) which are proportional to a code analysis tool. No unrelated or excessive env vars are requested.
Persistence & Privilege
The skill does not request always:true and does not declare any persistent/system-wide changes. It contains local analysis code only and does not modify other skills or global agent settings.
What to consider before installing
This skill appears to implement a local static analyzer (scripts/analyzer.ts) and the basic features in SKILL.md but the documentation claims extra integrations (third‑party agents, self‑repair, knowledge base) that are not implemented or documented. Before installing: (1) Ask the publisher for a homepage or source repo and for details about the advertised integrations and whether any external APIs will be used and which credentials are required. (2) Inspect the included scripts yourself (they are bundled here) and run them locally in a safe environment — they read project files but do not perform network calls. (3) Avoid using any 'delegate to external agent' options unless you understand and accept that source code may be transmitted to third parties. (4) Verify how the advertised 'code' CLI is intended to be installed/installed wrapper if you expect to run the commands shown in SKILL.md.

Like a lobster shell, security has layers — review code before you run it.

latestvk9773p6gjqvt6566kznbgfcxxh8210en

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

💻 Clawdis

Comments