Back to skill
Skillv1.0.0
ClawScan security
Open Code Review · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
ReviewMar 16, 2026, 3:25 PM
- Verdict
- Review
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's stated purpose (scanning AI-generated code) is plausible, but its runtime instructions rely on remote npm/MCP services and mention API keys without declaring required credentials or data-handling guarantees — this creates a risk that repository code or secrets could be sent to external endpoints unexpectedly.
- Guidance
- This skill probably does what it claims (code scanning) but relies on remote services that could receive your repository contents. Before installing or running: (1) confirm where scans are executed (local vs remote) and read the MCP/npx endpoints' privacy/data-retention terms; (2) avoid running deep-scan modes until you know which API key/environment variables are required and how they are used; (3) prefer self-hosting the MCP server or running the CLI in an isolated sandbox if you must scan private code; (4) do not provide repository secrets or wide-scoped tokens to the tool; (5) if the MCP URL or domain looks unfamiliar (the worker.dev host here), treat it as untrusted until you can verify ownership. If you need higher assurance, request the maintainer to declare required env vars, provide a reproducible local install flow, and document data handling.
Review Dimensions
- Purpose & Capability
- noteThe SKILL.md content matches the advertised purpose (code scanning for AI-specific defects) and references appropriate tooling (an npm CLI, L1–L3 scan levels). However, deeper-scan modes explicitly require an 'Ollama or API key' yet the skill metadata declares no required credentials — an incoherence worth flagging.
- Instruction Scope
- concernThe instructions instruct use of an npx CLI and an MCP server (either a URL on a third-party worker.dev domain or via 'npx -y @opencodereview/mcp-server'). Running these will cause code and dependency downloads and may send repository code off-host for processing. The SKILL.md does not state data handling, retention, or privacy guarantees, so the agent could unintentionally transmit source code or secrets to external endpoints.
- Install Mechanism
- concernThere is no formal install spec (instruction-only), but the guide expects dynamic installs via npx and suggests an MCP URL hosted at 'open-code-review-mcp.v2ray-seins.workers.dev' — a non-standard domain (v2ray name) rather than an official release host. Dynamic npx installs and calling an external MCP endpoint are moderate-to-high risk because they fetch and execute remote code at runtime.
- Credentials
- concernSKILL.md mentions 'requires Ollama or API key' for deeper scans but the skill metadata lists no required environment variables or primary credential. This mismatch means the skill may need API keys or secrets in practice but doesn't declare them up front, which is incoherent and increases the chance of ad-hoc credential use or accidental leakage.
- Persistence & Privilege
- okThe skill does not request always-on inclusion, does not declare config path access, and does not appear to request elevated or persistent platform privileges. Default autonomy is allowed (normal) but not combined with other elevated flags.