CodeAlive Context Engine
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill appears purpose-aligned for CodeAlive code search and Q&A, but it requires a CodeAlive API key and sends queries to CodeAlive's remote service.
Install only if you trust CodeAlive and this skill publisher. Use a scoped API key, verify the configured CodeAlive endpoint, avoid pasting secrets into chat or search prompts, and choose data sources narrowly when querying private repositories.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent can use the CodeAlive account privileges associated with that key to list, search, chat over, and fetch content from indexed repositories available to the account.
The scripts authenticate with a CodeAlive API key, including reading a CodeAlive-specific key from local credential storage, and send it as a bearer token.
self.api_key = api_key or os.getenv("CODEALIVE_API_KEY") or self._get_key_from_keychain() ... "Authorization": f"Bearer {self.api_key}"Use a least-privileged CodeAlive API key, prefer the interactive setup over pasting keys in chat, and revoke/rotate the key if it is exposed.
Search questions, data source names, artifact identifiers, and chat prompts are sent to the configured CodeAlive service; if CODEALIVE_BASE_URL is set incorrectly, the API key and requests could go to a different endpoint.
The skill sends API requests to a remote CodeAlive endpoint, and the endpoint can be changed by an environment variable.
self.base_url = base_url or os.getenv("CODEALIVE_BASE_URL", "https://app.codealive.ai") ... urllib.request.urlopen(request, timeout=self.timeout)Verify CODEALIVE_BASE_URL is unset or points to a trusted CodeAlive endpoint, and avoid putting secrets or sensitive incident details in search/chat prompts.
Follow-up chats may carry forward earlier questions and answers, which is useful but can also preserve sensitive context or mistaken assumptions.
The chat feature supports conversation continuity, so prior context can be reused in later questions.
print(f"💾 Conversation ID: {result['conversation_id']}") ... print(f" Use --continue {result['conversation_id']} to ask follow-up questions")Start a new conversation for unrelated or sensitive tasks, and treat synthesized answers from indexed code as advisory rather than authoritative.
It is harder for a user to independently verify the publisher/provenance and the credential requirement from registry metadata alone.
The registry metadata does not provide a source/homepage and does not declare the API key requirement that the skill itself documents.
Source: unknown; Homepage: none; Primary credential: none
Review the included scripts before use, confirm the publisher is expected, and treat the API key setup as a required credential despite the metadata gap.