ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Embedded Code Review Expert

v1.1.0

Expert code review for embedded/firmware projects with dual-model cross-review (Claude + Codex via ACP). Detects memory safety, interrupt hazards, RTOS pitfa...

0· 451·1 current·1 all-time
by@ylongw
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The skill is a code-review workflow for embedded/firmware projects and its SKILL.md, references, and prepare-diff.sh all align with that purpose. The dual-model cross-review (Claude + Codex) described in the documentation is consistent with the stated goal of higher-quality reviews.
Instruction Scope
Instructions explicitly require extracting full diffs and (in dual-model mode) sending review context and full file contents to ACP-backed models for analysis. That is expected for a thorough code review, but it means the agent will transmit repository contents (potentially secrets) to external LLM endpoints when dual-model review is used — a privacy/exfiltration consideration the SKILL.md does not explicitly warn about.
Install Mechanism
No install spec is present (instruction-only with a small helper script). No downloads or archive extraction occur, so there is minimal installation risk. The included prepare-diff.sh is a small, readable shell script that runs git/grep/diff locally.
Credentials
The skill declares no required env vars or binaries in registry metadata, but SKILL.md/README assume Git is available and that OpenClaw/ACP and configured Claude/Codex agents exist. The lack of declared runtime requirements (git, ACP/agent CLI) in metadata is an inconsistency that could confuse automated eligibility checks; otherwise no unrelated credentials are requested.
Persistence & Privilege
Skill is not always-loaded and is user-invocable (defaults). It does not request permanent presence or attempt to modify other skills or system-wide configs. It only reads local repo state via the helper script; no elevated privileges are requested.
Assessment
This skill appears to do what it claims: local git diffs are prepared and then fed to one or two external models for review. Before installing/use: (1) Be aware that dual-model mode will send full diff and file contents to external LLMs (Claude/Codex) — do not run it on repositories containing secrets or private keys unless you trust those model endpoints and your ACP configuration. (2) The registry metadata does not list runtime requirements, but you need Git and an OpenClaw/ACP setup with Claude/Codex agents available; verify these are present and correctly configured. (3) If you need tighter data control, use single-model/local review or sanitize the repo (remove secrets, test on a copy). (4) Review the included scripts (prepare-diff.sh) yourself — it only runs git/grep/diff locally, but running any skill on sensitive repos deserves caution. If you want higher assurance, ask the author for explicit declarations of required binaries/credentials and an explicit privacy notice describing what is sent to external models.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ax0xdsjn7wfwkxck5xj2mhd82454n

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments