v1.0.0

AANA Code Change Review Skill

ReviewClawScan verdict for this skill. Analyzed May 2, 2026, 10:02 PM.

Analysis

The skill’s instructions are mostly safety-focused, but its capability signals claim wallet, purchase, transaction-signing, and sensitive-credential access that does not fit the stated code-review purpose.

GuidanceThe skill text itself appears to be a benign code-review checklist, but the listed capability signals are unusually broad for that purpose. Before installing, verify whether those signals are platform permissions or false positives; if they are real, decline the unnecessary wallet, purchase, signing, and sensitive-credential access.

Findings (1)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityMediumConfidenceMediumStatusConcern

metadata

Capability signals: crypto; requires-wallet; can-make-purchases; can-sign-transactions; requires-sensitive-credentials

These signals imply access to wallet/payment/signing or sensitive credential capabilities, which is not justified by the stated instruction-only code-change review function and conflicts with the listed absence of required credentials.

User impactIf these capability signals reflect real installation permissions, the skill may receive or imply access to sensitive financial or credential-related authority that a code-review helper should not need.

RecommendationDo not grant wallet, purchase, transaction-signing, or sensitive-credential permissions unless the publisher explains why they are required and the platform confirms they are not actually enabled for this instruction-only skill.