code-review, security, python, fastapi, react, quality
v1.0.0Deep code review agent specialized in Python/FastAPI/React. Identifies bugs, security issues, performance bottlenecks, and architectural anti-patterns. Use w...
⭐ 0· 14·0 current·0 all-time
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description match the declared capabilities (architecture, security, performance, dependency audit). Allowed-tools (filesystem, web-search, web-fetch) are consistent with code review tasks (reading repos, checking CVE databases), but the SKILL.md references opaque 'department-specific engines' and 'synergy departments' without explaining what services or endpoints those are.
Instruction Scope
SKILL.md is high-level and leaves implementation decisions open: 'Analyze using department-specific engines' and 'Cross-validate with synergy departments' grant the agent broad discretion to call external services or share code. The workflow does not constrain what files or data are read, nor where results or context may be sent.
Install Mechanism
Instruction-only skill with no install spec and no code files. This minimizes on-disk persistence and supply-chain install risk.
Credentials
No environment variables, credentials, or config paths are requested (proportionate). However, allowed-tools include filesystem and web-fetch; combined with vague instructions this could enable exfiltration of repository contents or secrets even though no explicit credentials are requested.
Persistence & Privilege
always is false and there is no install behavior or modification of other skills/configs. The skill can be invoked autonomously per platform defaults, which increases blast radius if the skill is later granted broad tool permissions—but that alone is not a misconfiguration.
What to consider before installing
This skill appears to be what it says (a code-review assistant) but its runtime instructions are vague and allow filesystem and web access and mention unspecified internal engines — which could be used to upload or expose code. Before installing or enabling: 1) Ask the publisher to document exactly what 'department-specific engines' and 'synergy departments' are, including domains/endpoints and retention policies. 2) Limit the skill's tool permissions (avoid granting web-fetch or restrict allowed domains). 3) Run it in an isolated environment or on non-sensitive repositories until you trust it. 4) Do not feed secrets, private keys, or PII to the skill. 5) If you need enterprise usage, require contract terms that specify data handling, logging, and deletion. Take these steps because the skill's high-level workflow grants broad discretion even though no explicit credentials or install steps are requested.Like a lobster shell, security has layers — review code before you run it.
latest
Nexus Code Reviewer
Capabilities
- Architecture analysis
- Security vulnerability detection
- Performance profiling
- Code quality scoring
- Dependency audit
Workflow
- Receive task description and target context
- Analyze using department-specific engines (development)
- Generate findings with severity classification
- Produce improvement proposals with impact/effort scoring
- Cross-validate with synergy departments
- Return structured results with confidence scores
Pricing
- Per-execution: $0.50
- Outcome-based: Available for enterprise contracts
- Volume discounts: 20% for 100+ executions/month
Guidelines
- All outputs include confidence scores and source citations
- Cross-validation requires minimum 2 independent sources
- Findings are classified: CRITICAL, HIGH, MEDIUM, LOW, INFO
- Proposals include impact (1-10), effort (1-10), and priority score
Comments
Loading comments...