ClawHub

Code Security

v0.1.0

Review code for security risks like injection, auth flaws, sensitive data leaks, and recommend precise, actionable fixes with risk levels and patches.

0· 0·0 current·0 all-time
by@sf0799
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name, description, and instructions all describe a code security review. The skill requires no binaries, env vars, or config paths, which is proportionate for an instruction-only code-review helper. Note: the package source/homepage is unknown (no provenance), which reduces external trust but does not create technical incoherence.
Instruction Scope
SKILL.md tells the agent to review code in the current workspace for specific issues and to produce fixes/patches. It does not instruct network exfiltration or reading unrelated system files. Important operational note: 'current workspace' implies the agent will read project files (which may include secrets or credentials); this is expected behavior for a code-audit skill but worth being aware of and scoping before use.
Install Mechanism
No install specification and no code files — the skill is instruction-only, so nothing is written to disk or fetched during install. This is the lowest-risk install profile.
Credentials
The skill requests no environment variables, credentials, or config paths. That aligns with its purpose as a local code reviewer and is proportionate.
Persistence & Privilege
Flags show always:false and user-invocable:true (defaults). The skill does not request persistent presence or system-wide changes. Model invocation is enabled by default (disable-model-invocation:false) which is normal for skills; this alone is not a red flag.
Assessment
This skill appears to do what it says: review the workspace for security issues and suggest fixes. Before running it, consider: (1) the skill will read files in your current workspace — remove or temporarily redact any secrets, credentials, or sensitive files you don't want inspected or leaked in output; (2) scope the review (specific files or directories) rather than scanning an entire repository if it contains private keys or production credentials; (3) run the review on a local copy or sanitized snapshot if you are concerned; (4) the skill's source/homepage is unknown — if provenance matters to you, prefer tools from known authors or with visible source code; (5) if you are uncomfortable with autonomous invocation, you can disable model-invocation for skills or require explicit user invocation. These are operational precautions rather than technical blockers.

Like a lobster shell, security has layers — review code before you run it.

latestvk976zrfjx7rmthy1wqej1ncqtd84a3sj

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments