Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
claude-review
v1.0.1Self-review quality gate using Claude CLI. When the user says 'review your work', 'use review-work', or 'check your output', run review-work with the task su...
⭐ 0· 297·2 current·2 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's stated purpose (run an independent Claude-based review) matches the included script. However the SKILL.md repeatedly asserts the agent should 'determine all arguments yourself — the user does NOT need to specify them', while the shipped review-work.sh requires an explicit task summary and --context path. The SKILL.md also references a required Claude API key but the registry metadata does not declare any required env var or credential — a mismatch between claimed needs and declared requirements.
Instruction Scope
The runtime instructions and script ask Claude to read all files at the provided path (and optionally a skill SKILL.md and LESSONS.md). That is coherent for a reviewer, but the SKILL.md also contains a system-level reviewer prompt which is appended to the model invocation and a pre-scan flagged 'system-prompt-override' pattern was detected. The script uses claude with --tools 'Read,Glob,Grep' and instructs the model to 'Read ALL files', which can expose arbitrary user files under the provided path; combined with the appended system prompt and the --dangerously-skip-permissions flag (used in the script), this elevates the risk that the reviewer will access sensitive data if the context path is broad or mis-specified.
Install Mechanism
No install spec; this is an instruction-only skill plus a single shell script. Nothing is downloaded or written by an installer. Risk from install mechanism itself is low.
Credentials
The skill requires a working Claude CLI with a valid API key, and the SKILL.md documents LESSONS_FILE override via LESSONS_FILE env var and optionally SKILLS_DIR. Yet the registry metadata lists no required environment variables or primary credential. The need for a Claude API key is not declared in the metadata, so the skill is under-declared and could mislead users about credential requirements.
Persistence & Privilege
always:false (good). The script writes to a LESSONS.md in the user's home workspace (default ~/.openclaw/workspace/LESSONS.md) when reviews fail — persistent storage of review failures is intentional for the feature. This is not an escalation of platform privileges, but it does create persistent files in the user's home and may aggregate review results; users should confirm they are comfortable with that path and its contents.
Scan Findings in Context
[system-prompt-override] expected: The skill appends a system prompt to the Claude invocation to instruct the reviewer. Appending a system prompt is expected for controlling a reviewer, but the pattern is a recognized prompt-injection indicator and combined with --dangerously-skip-permissions it increases risk; review the prompt text and the CLI flags carefully.
What to consider before installing
This skill is basically a wrapper that calls your local 'claude' CLI to perform a file-based review and then optionally appends failed items to a LESSONS.md in your home workspace. Before installing or enabling it: 1) Confirm you have the claude CLI and a Claude API key, and understand where that key is stored (the skill metadata does not declare it). 2) Inspect the script (review-work.sh) yourself — it uses --dangerously-skip-permissions and asks the model to read ALL files under the provided context path, so avoid passing broad paths (like ~ or /) that could expose unrelated files. 3) Be aware it will create/append to LESSONS.md by default at ~/.openclaw/workspace/LESSONS.md (or the path in LESSONS_FILE); if you don't want persistent logs, set LESSONS_FILE to a location you control or remove the auto-log block. 4) The SKILL.md claims the agent will auto-determine arguments, but the script requires explicit task/context; confirm how your agent integration will populate those args. 5) If you plan to use this in production or with sensitive data, test it in a sandbox and consider removing or modifying the --dangerously-skip-permissions flag or tightening the allowed tool usage before trusting it with private files.Like a lobster shell, security has layers — review code before you run it.
latestvk973d8ad2prmgqdjw7nfw748hx82q876
License
MIT-0
Free to use, modify, and redistribute. No attribution required.