Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Astronclaw Code Review
v1.0.0基于AI自动化分析代码质量、安全漏洞和性能瓶颈,提供多维度智能审查与详细报告生成。
⭐ 0· 48·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (AI code review, security/performance/quality analysis) align with the included source files (analyzers, report generator, AI recommendation engine). The code contains expected modules and rules for static analysis; nothing in the code suggests unrelated capabilities (e.g., cloud admin access).
Instruction Scope
Runtime instructions and examples focus on scanning files, generating reports, and optionally calling an AI provider. The README/SKILL.md suggest reading project files and writing reports to disk (fs usage) and optionally invoking an external AI service. Those actions are reasonable for a code-review skill, but the SKILL.md also references environment variables and network calls for AI that are not handled consistently in the metadata/code.
Install Mechanism
There is no install spec (instruction-only from the registry perspective). The package contains code but uses standard npm dependencies; there are no downloads from arbitrary URLs or extract steps in the provided metadata.
Credentials
SKILL.md documents IFLYTEK_SPARK_API_KEY and IFLYTEK_SPARK_API_SECRET (and suggests external AI network calls) but the skill metadata (skill.json / package.json) does not declare required env vars or a primary credential. The code's AI path expects an aiApiKey passed via options (generateAIRecommendations checks options.aiApiKey) and the 'callIflytekSparkAPI' implementation is a simulated stub; this mismatch (documented env vars vs metadata vs actual implementation) is the main inconsistency and could hide network/credential usage if a later version adds real network calls.
Persistence & Privilege
The skill does not request 'always: true' and has no special OS/config path requirements. It reads files (expected for scanning) and writes reports in examples; that is within expected scope and confined to the skill's own operation.
What to consider before installing
This skill mostly appears to implement a local static-analysis/code-review tool, but the documentation claims integration with iFlyTek (讯飞星火) and lists API keys that are not declared in the skill metadata. Before installing or providing any credentials: 1) Ask the author to clarify whether the skill will call external AI services and, if so, why the skill.json does not declare the required environment variables/primary credential. 2) Inspect or request the implementation of callIflytekSparkAPI (or any networking code) to confirm it does not transmit project code to unknown endpoints. 3) If you must test it, run it in a sandboxed environment (no sensitive code, no real API keys) and monitor outbound network connections. 4) Do not supply real API keys (IFLYTEK_SPARK_API_KEY/SECRET or similar) until you verify the destination, data handling policy, and trustworthiness of the repository/author. 5) If you plan to use AI integration, insist the author update skill.json to list required env vars (so the registry can surface credential requests) and document the exact network endpoints and data retention policy.src/tools/analyzers/security-analyzer.js:110
Dynamic code execution detected.
test/basic.test.js:34
Dynamic code execution detected.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
latestvk978epqwe5340cad81xw1m3cwh84jvgp
License
MIT-0
Free to use, modify, and redistribute. No attribution required.