ClawHub

Secure Code Review

v1.0.0

Review code for security vulnerabilities and reliability anti-patterns: scan for SQL injection risks (raw string concatenation into queries), XSS exposure (u...

0· 99·0 current·0 all-time
byHung Quoc To@quochungto
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The name, description, and discovery tasks all describe scanning a codebase for injection, XSS, auth, and type-safety anti-patterns. The declared inputs (codebase or design doc) and the listed tools (Grep, Read) are appropriate and proportionate for that purpose.
Instruction Scope
SKILL.md instructs the agent to run repository-wide text searches (grep) and to read flagged files to produce findings — this is expected for a code review. Note: optional tools include Bash and Write, which would allow shell commands or modifying files if invoked; the instructions as-present focus on reading/searching and producing a report, but a user should be aware the skill could be extended to run shell commands if the agent is allowed to use optional tools.
Install Mechanism
There is no install spec and no code files — the skill is instruction-only, which minimizes filesystem footprint and avoids fetching external code.
Credentials
The skill requests no environment variables, credentials, or config paths. Its need to read the repository root is proportional to its stated goal of scanning source files.
Persistence & Privilege
The skill is not marked always:true and uses the platform default for invocation. It does not request persistent system-wide privileges or modify other skills' configs in the provided instructions.
Assessment
This skill appears to do what it claims: repository-wide text searches and file reads to identify injection, XSS, authorization, and type-safety anti-patterns. Before installing or invoking it, confirm you intend to grant the agent read access to the target repository (it will examine source files). Because SKILL.md is a draft and the skill source is 'unknown', consider: run it first on a non-sensitive or subset of the repo, ensure no secrets are present in the scanned files, and review the full SKILL.md to confirm it won't be extended to run arbitrary shell commands (optional Bash) or write changes unless you explicitly allow that. If you need threat modeling, cryptography, or infra reviews, use the skills the README points to instead.

Like a lobster shell, security has layers — review code before you run it.

bookforgevk974vmh54xkjwbg558msc3jgt984hk5zlatestvk974vmh54xkjwbg558msc3jgt984hk5ztags:vk974vmh54xkjwbg558msc3jgt984hk5z

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📚 Clawdis

Comments