Code Assistant

PassAudited by ClawScan on May 1, 2026.

Overview

This appears to be a normal code-assistant skill, but users should review its optional code-changing and external-agent delegation features before use.

Install/use this only for projects where local code analysis is acceptable. Keep auto-fix disabled unless you intend to modify files, review all generated diffs, and avoid using external-agent delegation on confidential code or files containing secrets.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Low

#ASI02: Tool Misuse and Exploitation

What this means

If the user enables or approves these actions, the assistant may change source code, which could introduce bugs or unwanted behavior.

Why it was flagged

The skill discloses code-modifying features such as refactoring and automatic bug correction. These are aligned with a programming assistant, and auto-fix is documented as disabled by default, but users should treat any modification path as high-impact for their project.

Skill content

`code refactor src/legacy-code.js`; `CODE_AUTO_FIX` ... `false`; `self-repair`: Los bugs encontrados pueden auto-corregirse

Recommendation

Review diffs before accepting changes, keep version control backups, and leave automatic fixes disabled unless you trust the specific task.

Low

#ASI07: Insecure Inter-Agent Communication

What this means

Project code or related context could be shared with another agent/provider when using the delegation option.

Why it was flagged

The skill openly describes optional delegation to other coding agents. This is purpose-aligned, but the artifacts do not define data boundaries for what code or context is shared with those agents.

Skill content

Puede delegar tareas complejas a Codex, Claude Code o Pi ... `code refactor src/legacy.ts --agent:codex`

Recommendation

Use external-agent delegation only for code you are allowed to share, and avoid sending secrets, proprietary files, or sensitive customer data.

Info

#ASI06: Memory and Context Poisoning

What this means

The assistant’s suggestions may be shaped by indexed documentation, including outdated or untrusted material.

Why it was flagged

The skill mentions using indexed documentation as context. This is reasonable for a coding assistant, but retrieved or indexed content can influence recommendations if the source material is stale, private, or untrusted.

Skill content

`knowledge-base`: Busca en documentación indexada

Recommendation

Confirm that indexed documentation sources are trusted and review important code changes rather than relying solely on retrieved context.