ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Elixir Docs Review

v1.2.1

Reviews Elixir documentation for completeness, quality, and ExDoc best practices. Use when auditing @moduledoc, @doc, @spec coverage, doctest correctness, an...

0· 165·1 current·1 all-time
byKevin Anderson@anderskev

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for anderskev/elixir-docs-review.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Elixir Docs Review" (anderskev/elixir-docs-review) from ClawHub.
Skill page: https://clawhub.ai/anderskev/elixir-docs-review
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install elixir-docs-review

ClawHub CLI

Package manager switcher

npx clawhub@latest install elixir-docs-review
Security Scan
Capability signals
CryptoCan make purchases
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill claims to audit Elixir docs and doctests, which legitimately can require running tests and reading .ex/.exs sources. However, the skill declares no required binaries or environment needs while the runtime instructions explicitly expect 'mix test' output and full project file reads. The absence of a declared dependency on Elixir/mix (or a note that the agent must be run in an environment with mix available) is an inconsistency.
!
Instruction Scope
SKILL.md stays within doc-audit scope (checks @moduledoc, @doc, @spec, doctests, evidence bundling). It does not ask for unrelated credentials or system-wide secrets. Two issues: (1) it requires producing 'mix test' output for doctest failures (implying the agent will execute tests or require test artifacts), and (2) it mandates loading and following a review-verification-protocol at '../review-verification-protocol/SKILL.md' which is not included in the skill bundle — this missing referenced file is a gap that could block correct operation or cause the agent to fetch external content.
Install Mechanism
Instruction-only skill with no install spec and no code files written to disk. This is low-risk from an install/execution distribution perspective.
Credentials
The skill requests no environment variables, credentials, or config paths, which is proportionate for a doc-reviewer. There is no request for unrelated secrets or elevated access.
Persistence & Privilege
always:false and no installation steps that persist or modify other skills or system settings. The skill does not request permanent presence or elevated privileges.
What to consider before installing
This skill appears to be what it says (an Elixir documentation reviewer) but has some implementation gaps you should resolve before trusting it: 1) Confirm the agent environment has Elixir and mix available if you expect it to run doctests (the skill references mix test but does not declare it). 2) The SKILL.md requires loading a '../review-verification-protocol/SKILL.md' file that is not included — ask the publisher for that file or supply it yourself. 3) If you will allow the agent to run tests or read your repository files, ensure it only has access to the project directory and not other sensitive locations. If these points are clarified (and you’re comfortable with the agent running mix/test commands on your codebase), the skill is reasonable; until then treat it with caution.

Like a lobster shell, security has layers — review code before you run it.

latestvk9774bpzq9mzhnst2s6qv3943n85bspj
165downloads
0stars
2versions
Updated 6d ago
v1.2.1
MIT-0
Kevin Anderson@anderskev
latest
Download

Elixir Documentation Review

Quick Reference

Issue TypeReference
@moduledoc, @doc quality, anti-patternsreferences/doc-quality.md
@spec, @type, @typedoc coveragereferences/spec-coverage.md

Review Checklist

Module Documentation

  • All public modules have @moduledoc
  • First-line summary is concise (one line, used by tools as summary)
  • @moduledoc includes ## Examples where appropriate
  • @moduledoc false only on internal/implementation modules

Function Documentation

  • All public functions have @doc
  • All public functions have @spec
  • @doc describes return values clearly
  • Multi-clause functions documented before first clause
  • Function head declared when arg names need clarification

Doctests

  • Doctests present for pure, deterministic functions
  • No doctests for side-effectful operations (DB, HTTP, etc.)
  • Doctests actually run (module included in test file)

Cross-References

  • Module references use backtick auto-linking (MyModule)
  • Function refs use proper arity format (function/2)
  • Type refs use t: prefix (t:typename/0)
  • No plain-text references where auto-links are possible

Metadata

  • @since annotations on new public API additions
  • @deprecated with migration guidance where appropriate

Valid Patterns (Do NOT Flag)

  • @doc false on callback implementations - Documented at behaviour level
  • @doc false on protocol implementations - Protocol docs cover the intent
  • Missing @spec on private functions - @spec optional for internals
  • Short @moduledoc without ## Examples on simple utility modules - Not every module needs examples
  • Using @impl true without separate @doc - Inherits documentation from behaviour

Context-Sensitive Rules

IssueFlag ONLY IF
Missing @moduledocModule is public AND not a protocol impl
Missing @specFunction is public AND exported
Missing doctestsFunction is pure AND deterministic
Generic @docDoc restates function name without adding value

Gates (sequenced — do not skip)

Work in order. Do not draft or ship a finding until the prior step passes.

  1. Scope lockPass when: You listed the exact .ex/.exs file paths (or Module names) under review; no vague “the project” scope.
  2. Full-context readPass when: For each candidate issue, you read the full surrounding definition (all clauses for multi-clause functions; full @moduledoc block for module-level claims), not only a diff hunk or search snippet.
  3. Evidence bundlePass when: Every draft finding uses the [FILE:LINE] ISSUE_TITLE header (line range allowed) and includes a verbatim quote or pointer to the @doc / @spec / doctest text in question. Module.function/arity may appear as supporting context but does not replace the [FILE:LINE] anchor. For “doctest fails” claims, Pass when: you cite mix test output for the relevant file or line, or the exact error string.
  4. Protocol before reportPass when: You loaded and followed review-verification-protocol (its Pre-Report checklist) before finalizing the issue list—not after.

When to Load References

  • Reviewing @moduledoc or @doc quality, seeing anti-patterns -> doc-quality.md
  • Reviewing @spec, @type, or @typedoc coverage -> spec-coverage.md

Comments

Loading comments...