ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

AI代码审查助手

v1.0.0

代码审查助手 - 自动分析代码,提供审查意见、性能优化建议、安全漏洞检测。支持多种编程语言,生成详细的代码审查报告。

0· 94·0 current·0 all-time
by@ryan-wuxl·duplicate of @ryan-wuxl/smart-code-reviewer
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The name/description promise a Node-based code-review tool. It declares a dependency on the 'node' binary which is consistent, but the skill bundle contains no scripts, modules, or install steps that would implement the promised functionality. That mismatch (claims to run 'node scripts/review.mjs' but provides no such file or an install mechanism to obtain it) is incoherent.
!
Instruction Scope
SKILL.md and README instruct the agent/user to run 'node scripts/review.mjs' and use 'clawhub install', and to analyze project files (expected for a reviewer). However, because the runtime script is not included, it is unclear whether any implementation would read only project files or also access/send other data. The instructions give broad discretion (run a script that isn't present), which is a security risk until the actual script is inspected.
!
Install Mechanism
There is no install spec. The README mentions 'clawhub install' and a GitHub homepage, but the registry bundle contains only documentation files and no code. Without a defined, verifiable install source (e.g., a known release or included scripts), the agent or user might need to fetch code from an external location — which increases risk because the fetched code is not part of this package for review.
Credentials
The skill requests only the 'node' binary and declares no environment variables, credentials, or config paths. That is proportionate to a local code-analysis tool.
Persistence & Privilege
always is false and there is no indication the skill requests persistent/privileged presence or modifies other skills. Autonomous invocation is allowed (platform default) but not combined with other high-privilege requests.
What to consider before installing
This package claims to be a Node-based code reviewer but the bundle lacks the scripts it tells you to run and has no install recipe. Before installing or running anything: verify the upstream GitHub repository and inspect the actual 'scripts/review.mjs' (or other runtime files) to see what they do; prefer skills that include their runtime or provide a clear, auditable install step; do not allow the agent to fetch or run remote code without reviewing it first. Also be aware a code-review tool will read your project files — avoid giving it secrets or sensitive code until you confirm it does not exfiltrate data.

Like a lobster shell, security has layers — review code before you run it.

latestvk976r41b7arjrw3x292kc3828h83by4m

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔍 Clawdis
Binsnode

Comments