Code Mentor
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: code-mentor Version: 1.0.2 The skill is classified as suspicious due to several high-risk capabilities, although without clear evidence of intentional malicious intent. The `SKILL.md` contains direct instructions to the AI agent to update `references/user-progress/learning_log.md`, which, while benign in purpose, demonstrates a form of prompt injection. More significantly, the `scripts/run_tests.py` script executes user-provided code via external test runners (`pytest`, `unittest`, `jest`), allowing for potential arbitrary code execution if a malicious user provides a crafted test file. Additionally, the `scripts/analyze_code.py` and `scripts/complexity_analyzer.py` scripts can read and process arbitrary files, which could be leveraged by a malicious agent to access sensitive local data and output its content.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If you run the test helper on untrusted code, that code may execute with your local user permissions.
The optional test runner executes pytest, unittest, or Jest against a user-specified target, which necessarily runs local test/project code.
cmd = ['python', '-m', 'pytest', self.target, '-v', '--tb=short'] ... cmd = ['npx', 'jest', self.target, '--verbose']
Only run the test helper on projects you trust, preferably in a virtual environment or sandbox for unfamiliar code.
Installing optional dependencies may fetch newer package versions than the author tested.
The optional helper-script dependencies use lower-bound version constraints rather than exact pins.
pylint>=2.15.0 pytest>=7.2.0 colorama>=0.4.6
If you use the optional scripts in a sensitive environment, install dependencies in an isolated environment and consider pinning versions yourself.
Learning notes, topics, or insights may persist locally and influence future tutoring sessions.
The skill describes persistent progress tracking that can be reused across sessions.
Your learning progress is automatically saved to `references/user-progress/learning_log.md` after each session.
Avoid storing sensitive personal or proprietary details in learning progress, and review or delete the learning_log.md file if you do not want persistence.