ClawHub

source code analysis

v1.0.1

This skill should be used when the user asks to "analyze source code", "understand this codebase", "perform code analysis", "study this project", "explain th...

1· 62·0 current·0 all-time
by@river-zhanglh
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The skill's name and description match the SKILL.md content: a methodology for analyzing codebases. It doesn't request unrelated binaries, credentials, or config paths, so required resources are proportionate to its stated purpose.
Instruction Scope
Instructions stay on-topic (read READMEs, inspect directory structure, trace call paths, run/debug code). They do recommend running and debugging code and examining build/test/deployment processes — behavior appropriate for code analysis but potentially risky if the agent executes untrusted code or has broad filesystem/network access. The SKILL.md does not instruct any unexpected data exfiltration or access to secrets.
Install Mechanism
No install spec and no code files (instruction-only). Nothing will be written to disk by the skill itself during installation.
Credentials
No environment variables, credentials, or config paths are required. The declared environment access is minimal and appropriate for an analysis methodology document.
Persistence & Privilege
always is false and the skill is user-invocable; it does not request persistent or elevated platform privileges. Autonomous invocation is allowed by default (not flagged here) but is not combined with other high-risk requests.
Assessment
This skill is coherent and lightweight, but it recommends running and debugging repository code as part of analysis. Before using it: (1) avoid giving access to secrets or credentials; (2) run any code in an isolated/sandboxed environment (container, VM, ephemeral runner); (3) restrict network access if you don't trust the code; (4) review any outputs the agent emits before sharing externally; and (5) if you plan to let the agent operate on a private repo, audit what files it can read. These precautions mitigate the normal risks of executing untrusted code.

Like a lobster shell, security has layers — review code before you run it.

latestvk97cxqxh9pnwea3z94yybzg8r1844vxb

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments