Sovereign code-review-helper
PassAudited by ClawScan on May 1, 2026.
Overview
This is a local git-based code-review checklist generator with no evidence of malicious behavior, but users should notice that it runs a Bash script and can write to a chosen file path.
This skill looks appropriate for generating local code-review checklists. Before installing, verify that you trust the package source, expect it to run a Bash script using git, and avoid saving output to important existing files unless you intend to overwrite them.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user may not see all runtime dependencies or provenance from the registry summary alone.
The registry-level source and dependency metadata is sparse/under-declared even though the included skill.json declares a local Bash/git entry. This matters for installation trust, but the behavior is disclosed in the package artifacts.
Source: unknown Homepage: none Required binaries (all must exist): none
Review the included script and install only from a trusted ClawHub package/source; ensure git and bash are expected on the machine.
If the user or agent chooses a sensitive output path, generated checklist text could replace that file's contents.
The script writes generated output to a caller-supplied path. This is documented and purpose-aligned, but an unsafe path could overwrite an existing file.
--output-file) OUTPUT_FILE="$2"; shift 2 ;; ... echo "$output" > "$OUTPUT_FILE"
Use stdout or a new file in a safe directory, and review any --output-file path before running.