ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

deadcode

v1.0.1

Dead code and unused export detector — scans JavaScript/TypeScript, Python, Go, Java, and CSS for dead code, orphan files, unused exports, and code cruft

0· 74·0 current·0 all-time
by@suhteevah

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for suhteevah/deadcode.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "deadcode" (suhteevah/deadcode) from ClawHub.
Skill page: https://clawhub.ai/suhteevah/deadcode
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Required binaries: git, bash, python3, jq
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install deadcode

ClawHub CLI

Package manager switcher

npx clawhub@latest install deadcode
Security Scan
Capability signals
Requires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the code: bash-based pattern scanner, language detection, report generation, and optional hook integration. Requested binaries (git, bash, python3, jq) and the lefthook brew formula are directly used by the scripts and align with the advertised features.
Instruction Scope
Runtime instructions and scripts operate locally (find/grep/awk/sed) and perform scanning, report generation, and installation/removal of lefthook hooks. They read and write ~/.openclaw/openclaw.json for license/config and will copy lefthook.yml into repo roots and run lefthook install—expected for pre-commit integration but notable because it modifies repo-level files and causes scripts to execute on each commit.
Install Mechanism
Install step is a single Homebrew formula (lefthook). No network downloads from arbitrary URLs or extracted archives are used; scripts are provided in the skill bundle. This is a low-risk install mechanism consistent with the stated purpose.
Credentials
Primary credential DEADCODE_LICENSE_KEY is justified by the Pro/Team features documented; the scripts also read/write ~/.openclaw/openclaw.json to persist keys and ignores (this path is declared in the SKILL metadata). One optional environment variable (CLAWHUB_JWT_SECRET) is referenced in license verification for signature checking but is not required — it only enables stronger local token verification when set.
Persistence & Privilege
always:false and model invocation are normal. The only persistence is writing/reading ~/.openclaw/openclaw.json (to store apiKey/ignore rules) and optionally adding lefthook.yml to repositories — both are appropriate for this skill but do modify user config and project files. Installing hooks will cause the skill's scripts to be sourced during commits.
Assessment
This skill is internally consistent with a local dead-code scanner. Before installing: (1) review the included scripts (scripts/*.sh) yourself — pre-commit hooks will source these files on every commit and can run arbitrary shell commands; (2) be aware that installing hooks will add/modify lefthook.yml in your repo and call `lefthook install`; (3) Pro/Team features require a JWT-style license key (DEADCODE_LICENSE_KEY) which the skill stores and reads from ~/.openclaw/openclaw.json or the environment; if you set CLAWHUB_JWT_SECRET you enable local signature verification; (4) Homebrew will be used to install lefthook. If you trust the skill source and inspect the hook content, it's reasonable to proceed. If you do not trust the source, do not install the hooks and inspect the scripts before running scans.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

💀 Clawdis
OSmacOS · Linux · Windows
Binsgit, bash, python3, jq
Primary envDEADCODE_LICENSE_KEY

Install

Install lefthook (git hooks manager)
Bins: lefthook
brew install lefthook
latestvk9763jk64zdfyz6t9zh0rr1g5h84ts95
74downloads
0stars
2versions
Updated 1w ago
v1.0.1
MIT-0
macOS, Linux, Windows
@suhteevah
latest
Download

DeadCode -- Dead Code & Unused Export Detector

DeadCode scans source files for dead code, unused exports, orphan files, unreachable code paths, and code cruft across JavaScript/TypeScript, Python, Go, and CSS/SCSS. It uses regex-based pattern matching against 60+ dead code patterns, lefthook for git hook integration, and produces markdown reports with actionable cleanup recommendations.

Commands

Free Tier (No license required)

deadcode scan [file|directory]

One-shot dead code scan of files or directories.

How to execute:

bash "<SKILL_DIR>/scripts/deadcode.sh" scan [target]

What it does:

  1. Accepts a file path or directory (defaults to current directory)
  2. Auto-detects language types (JavaScript/TypeScript, Python, Go, CSS/SCSS)
  3. Finds all source files matching known patterns
  4. Runs 60+ dead code patterns against each file
  5. Runs file-level checks for orphan detection and structural issues
  6. Calculates a dead code score (0-100) per file and overall
  7. Outputs findings with: file, line number, check ID, severity, description, recommendation
  8. Exit code 0 if score >= 70, exit code 1 if too much dead code found
  9. Free tier limited to 5 source files per scan

Example usage scenarios:

  • "Scan my code for dead code" -> runs deadcode scan .
  • "Check this file for unused exports" -> runs deadcode scan src/utils.ts
  • "Find dead code in my Python project" -> runs deadcode scan src/
  • "Are there orphan files in my repo?" -> runs deadcode orphans .

Pro Tier ($19/user/month -- requires DEADCODE_LICENSE_KEY)

deadcode hooks install

Install git pre-commit hooks that scan staged source files before every commit.

How to execute:

bash "<SKILL_DIR>/scripts/deadcode.sh" hooks install

What it does:

  1. Validates Pro+ license
  2. Copies lefthook config to project root
  3. Installs lefthook pre-commit hook
  4. On every commit: scans all staged source files for dead code, blocks commit if critical/high findings, shows cleanup advice

deadcode hooks uninstall

Remove DeadCode git hooks.

bash "<SKILL_DIR>/scripts/deadcode.sh" hooks uninstall

deadcode report [directory]

Generate a markdown dead code report with findings, severity breakdown, and cleanup steps.

bash "<SKILL_DIR>/scripts/deadcode.sh" report [directory]

What it does:

  1. Validates Pro+ license
  2. Runs full scan of the directory
  3. Generates a formatted markdown report from template
  4. Includes per-file breakdowns, dead code scores, cleanup priority
  5. Output suitable for code reviews and tech debt tracking

deadcode orphans [directory]

Find orphan files that are never imported or referenced by any other file.

bash "<SKILL_DIR>/scripts/deadcode.sh" orphans [directory]

What it does:

  1. Validates Pro+ license
  2. Builds an import/reference graph across all source files
  3. Identifies files that are never imported/required/referenced
  4. Excludes entry points (index files, main files, test files, config files)
  5. Reports orphan files with confidence levels

Team Tier ($39/user/month -- requires DEADCODE_LICENSE_KEY with team tier)

deadcode ignore [pattern]

Manage ignore rules for dead code detection.

bash "<SKILL_DIR>/scripts/deadcode.sh" ignore [pattern]

What it does:

  1. Validates Team+ license
  2. Adds/removes patterns to the ignore list in ~/.openclaw/openclaw.json
  3. Patterns can be file globs or check IDs
  4. Supports per-project and global ignore rules

deadcode sarif [directory]

Generate SARIF output for CI/CD integration.

bash "<SKILL_DIR>/scripts/deadcode.sh" sarif [directory]

What it does:

  1. Validates Team+ license
  2. Runs full scan of the directory
  3. Outputs findings in SARIF v2.1.0 format
  4. Compatible with GitHub Code Scanning, Azure DevOps, and other CI systems
  5. Includes rule definitions, locations, and severity mappings

deadcode status

Show license and configuration information.

bash "<SKILL_DIR>/scripts/deadcode.sh" status

Detected Dead Code Patterns

DeadCode detects 60+ dead code patterns across 5 language categories:

CategoryExamplesSeverity
JavaScript/TypeScriptUnused exports, console.log left in code, commented-out blocks, unreachable code after return/throw, empty function bodies, unused variables, dead switch cases, deprecated markers, empty catch blocksCritical/High
PythonFunctions defined but never called, unused imports, pass-only bodies, commented-out code, dead code after return/raise, all mismatches, empty except blocksCritical/High
GoUnused imports, unexported dead functions, dead code after return/panic, empty function bodies, commented-out code, empty init() functionsHigh/Medium
CSS/SCSSUnused CSS classes/IDs, empty rule blocks, duplicate selectors, commented-out styles, !important overuse, unused CSS variables, empty media queries, vendor prefixesMedium/Low
GeneralOrphan files, large comment blocks, TODO/FIXME density, debug/test code in production, placeholder text, feature flag remnantsHigh/Medium

Configuration

Users can configure DeadCode in ~/.openclaw/openclaw.json:

{
  "skills": {
    "entries": {
      "deadcode": {
        "enabled": true,
        "apiKey": "YOUR_LICENSE_KEY_HERE",
        "config": {
          "severityThreshold": "high",
          "ignorePatterns": ["**/test/**", "**/fixtures/**", "**/*.spec.*"],
          "ignoreChecks": [],
          "reportFormat": "markdown"
        }
      }
    }
  }
}

Important Notes

  • Free tier works immediately with no configuration
  • All scanning happens locally -- no code is sent to external servers
  • License validation is offline -- no phone-home or network calls
  • Pattern matching only -- no AST parsing, no external dependencies
  • Supports scanning multiple language types in a single pass
  • Git hooks use lefthook which must be installed (see install metadata above)
  • Exit codes: 0 = clean (score >= 70), 1 = too much dead code (for CI/CD integration)

Error Handling

  • If lefthook is not installed and user tries hooks install, prompt to install it
  • If license key is invalid or expired, show clear message with link to https://deadcode.pages.dev/renew
  • If a file is binary, skip it automatically with no warning
  • If no source files found in target, report clean scan with info message
  • If language type cannot be determined, skip the file gracefully

When to Use DeadCode

The user might say things like:

  • "Scan my code for dead code"
  • "Find unused exports in my project"
  • "Are there orphan files in my repo?"
  • "Check for unreachable code"
  • "Find commented-out code blocks"
  • "Detect unused imports in my Python code"
  • "Generate a dead code report"
  • "Set up pre-commit hooks for dead code detection"
  • "Check for console.log statements left in production"
  • "Find empty function bodies"
  • "Are there any unused CSS classes?"
  • "Scan for TODO/FIXME comments"
  • "Find placeholder code"
  • "Check for debug code left in production"
  • "Generate SARIF output for my CI pipeline"

Comments

Loading comments...