Skillv1.0.0

ClawScan security

QA Reviewer · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 4, 2026, 6:10 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's files and scripts mostly match the QA/testing purpose, but there are small incoherences (a missing referenced script) and it will compile/run project tests — which is expected for a tester but risky if used on untrusted code; the skill's source/maintainer are unknown.
Guidance: What to consider before installing/using this skill: - Source and provenance: the skill's Source/Homepage are unknown and the package repo URL in package.json should be verified (may not exist). Be cautious installing skills from unknown maintainers. - Missing referenced script: SKILL.md/README reference generate_report.sh but that file is not present—expect minor documentation drift or a packaging error; verify intended behavior before relying on it. - Test execution risk: run_tests.sh can compile and execute project tests (cmake/make or pytest). If the project contains untrusted code or malicious test runners, executing tests can run arbitrary code on your machine. This is expected for a testing tool but is a security risk when used on unknown repositories. - Recommended mitigations: - Inspect scripts (scripts/*.sh) yourself before running. They are simple and readable here, but still review any changes in future versions. - Run the scripts in an isolated environment (container, VM, sandbox) or on a CI runner with limited privileges when scanning untrusted projects. - Verify the repository URL and maintainer identity; prefer skills from known/trusted publishers. - If you only need static analysis or report generation, consider running code_review.sh only (it mostly greps/finds and writes a markdown report) instead of running compiled tests. - If you want higher assurance: request the maintainer to add the missing generate_report.sh or clarify docs, and provide a signed repository or official homepage.

Review Dimensions

Purpose & Capability: noteName/description promise code review, testing, coverage and tracking for C++/Python/JS; the repository contains review and test scripts, templates, examples and docs that align with that purpose. Minor inconsistency: SKILL.md and README mention a generate_report.sh script (quick-start step 3 and README), but no generate_report.sh exists in the file manifest.
Instruction Scope: concernSKILL.md instructs the agent to run scripts under ~/.openclaw/extensions/qa-reviewer/scripts/ (code_review.sh, run_tests.sh). The included scripts scan the project, create report files, compile and run tests (cmake/make or pytest). Running tests implies executing compiled binaries or Python tests from the target project — expected for a test tool but a potential risk if tests contain malicious code. The quick-start references a missing generate_report.sh, which is an incoherence in the instructions.
Install Mechanism: okNo install spec is provided (instruction-only plus shipped scripts). Nothing is downloaded or installed by the skill itself — lowest install risk.
Credentials: okThe skill declares no required environment variables, no credentials, and no special config paths. The scripts operate on a project path supplied by the user (default '.'), which is proportional to the stated purpose.
Persistence & Privilege: okSkill is not always-enabled and does not request elevated privileges. It does create report files in the project directory when invoked, which is expected behaviour and limited in scope.