ClawHub

Senior Code Reviewer

v0.1.0

Code review automation for TypeScript, JavaScript, Python, Go, Swift, Kotlin. Analyzes PRs for complexity and risk, checks code quality for SOLID violations...

0· 284·1 current·1 all-time
byAlireza Rezvani@alirezarezvani
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The declared purpose (automated code review) matches the included scripts and reference docs. However the skill declares no required binaries or install steps even though the SKILL.md and the shipped tools explicitly run via the 'python' interpreter and the PR analyzer calls 'git' via subprocess. Not declaring Python and git is an incoherence that could lead to runtime failures or surprise if the agent environment differs.
Instruction Scope
SKILL.md instructs the agent (and user) to run local Python scripts against a repository path; the scripts read repository files, diffs, commit messages and produce JSON/markdown reports. That behavior is expected for a code-review tool, but it means the skill will scan all files you point it at (including secrets). The instructions do not ask for unrelated system files or external credentials.
Install Mechanism
There is no install spec (instruction-only), which is low-risk, but three substantive Python scripts are included and intended to be executed. Because the package contains executable code but does not declare runtime binary requirements, there's a mismatch between packaging and runtime behavior.
Credentials
The skill declares no required environment variables or credentials, and the scripts do not read secrets from env; that is proportionate. However the scripts do invoke git and run Python subprocesses, so they implicitly require access to the filesystem and local git history. The absence of an explicit 'requires: python, git' is a notable omission.
Persistence & Privilege
The skill is not marked always:true and does not request persistent system-wide privileges. It runs as an on-demand tool that executes local analysis; nothing in the files attempts to modify other skills or system settings.
What to consider before installing
Before installing or running this skill: 1) Review the three Python scripts (pr_analyzer.py, code_quality_checker.py, review_report_generator.py) yourself — they will be executed locally and will read all files in the repo you point them at (so they can surface secrets); 2) Ensure the runtime environment has Python and git on PATH — the skill does not declare these required binaries; 3) Run the scripts in an isolated or non-production environment (container or VM) first to confirm behavior and outputs; 4) If you plan to let an agent invoke this skill automatically, restrict its repository scope (don’t give it access to repos with production secrets) and verify there are no unexpected network calls (I found no external endpoints or downloads in the files provided); 5) Prefer a version of the skill that explicitly lists required binaries and a maintainer/homepage so you can verify provenance.

Like a lobster shell, security has layers — review code before you run it.

latestvk975dbvhg74824zwpmeke8kzs58287k5

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments