QA Reviewer
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This QA skill appears purpose-aligned and non-malicious, but users should notice that it runs local build/test commands and has a minor missing-script/package inconsistency.
This skill is reasonable for code review and testing. Before installing or using it, be comfortable with it reading the chosen project, writing Markdown reports, and running local build/test commands such as cmake, make, or pytest. Use it on trusted projects and check the installed scripts because the documented generate_report.sh file is not present in the reviewed package.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running tests on an untrusted or unfamiliar project could execute that project's test/build code on the user's machine.
The test runner can build and execute project test binaries or run pytest. This is expected for a QA/testing skill, but it means using the skill may execute code from the target project.
cmake .. > /dev/null 2>&1 make > /dev/null 2>&1 ... ./srm_tests ... pytest tests/ -v
Run the test script only in intended, trusted worktrees and review project test/build files before allowing an agent to execute them.
A test report file could be written in an unexpected parent directory, though the content is limited to the generated test summary.
In the pytest branch, using the default project path '.' changes to the parent directory before writing the report, so the generated TEST_RESULT file may be created one level above the intended project.
PROJECT_PATH="${1:-.}"
...
cd "$PROJECT_PATH"
pytest tests/ -v
TEST_RESULT=$?
cd ..
...
cat > "$PROJECT_PATH/TEST_RESULT_$TIMESTAMP.md"Prefer invoking the script with an absolute project path, or adjust the script to preserve and restore the original working directory safely.
Following the documented quick start may fail or lead users to look for a script that is not included in the reviewed artifacts.
The skill documentation references a generate_report.sh helper, but the provided manifest and file contents include only code_review.sh and run_tests.sh under scripts, creating a packaging/documentation inconsistency.
~/.openclaw/extensions/qa-reviewer/scripts/generate_report.sh
Verify the installed package contents before use and rely only on the included scripts unless the missing report generator is supplied and reviewed.