ClawHub
Back to skill
v1.0.0

Sovereign code-review-helper

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 5:57 AM.

Analysis

This is a local git-based code-review checklist generator with no evidence of malicious behavior, but users should notice that it runs a Bash script and can write to a chosen file path.

GuidanceThis skill looks appropriate for generating local code-review checklists. Before installing, verify that you trust the package source, expect it to run a Bash script using git, and avoid saving output to important existing files unless you intend to overwrite them.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceMediumStatusNote
metadata
Source: unknown
Homepage: none
Required binaries (all must exist): none

The registry-level source and dependency metadata is sparse/under-declared even though the included skill.json declares a local Bash/git entry. This matters for installation trust, but the behavior is disclosed in the package artifacts.

User impactA user may not see all runtime dependencies or provenance from the registry summary alone.
RecommendationReview the included script and install only from a trusted ClawHub package/source; ensure git and bash are expected on the machine.
Tool Misuse and Exploitation
SeverityLowConfidenceHighStatusNote
scripts/review.sh
--output-file)    OUTPUT_FILE="$2"; shift 2 ;; ... echo "$output" > "$OUTPUT_FILE"

The script writes generated output to a caller-supplied path. This is documented and purpose-aligned, but an unsafe path could overwrite an existing file.

User impactIf the user or agent chooses a sensitive output path, generated checklist text could replace that file's contents.
RecommendationUse stdout or a new file in a safe directory, and review any --output-file path before running.