ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Macros Code Review

v1.0.1

Reviews Rust macro code for hygiene issues, fragment misuse, compile-time impact, and procedural macro patterns. Use when reviewing macro_rules! definitions,...

0· 91·1 current·1 all-time
byKevin Anderson@anderskev

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for anderskev/macros-code-review.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Macros Code Review" (anderskev/macros-code-review) from ClawHub.
Skill page: https://clawhub.ai/anderskev/macros-code-review
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install macros-code-review

ClawHub CLI

Package manager switcher

npx clawhub@latest install macros-code-review
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description align with the included instructions and reference docs: this is explicitly a Rust macro review checklist. The skill does not request unrelated credentials or binaries. However, the runtime workflow assumes access to the reviewed crate on disk (Cargo.toml, .rs files) and that the reviewer will produce [FILE:LINE] evidence — the skill metadata declares no required config paths or filesystem access. That is an inconsistency to be aware of (the skill implicitly requires repository file access).
!
Instruction Scope
SKILL.md instructs the agent to open the crate's Cargo.toml, read full macro definitions, record exact file:line locations for each finding, and — crucially — to 'load and apply beagle-rust:review-verification-protocol' before emitting findings. That protocol is not included in the bundle and no mechanism (install spec, dependency, or link) is declared to obtain it. The instructions therefore depend on external artifacts and on-disk files that are not declared, which can break reproducibility or hide where verification logic actually runs. The steps themselves do not request network exfiltration or secrets, but they grant broad discretion to read repository files and to defer to an external protocol.
Install Mechanism
Instruction-only skill with no install spec and no code files with executable install steps. This minimizes the risk of arbitrary code being written or executed on install.
Credentials
No environment variables, credentials, or external endpoints are requested — appropriate for an offline code-review checklist. However, the instructions imply access to the filesystem (crate source tree) and to an external protocol, neither of which are declared in requires.env or config paths. Confirm how the agent will obtain file access and the missing protocol before running.
Persistence & Privilege
The skill is not always-on and is user-invocable; it does not request persistent privileges or modify other skills. Autonomous invocation is allowed (platform default) but is not combined with high privileges or undisclosed credentials.
What to consider before installing
This skill appears to be a legitimate Rust macro review checklist and is low-risk as an instruction-only skill, but it has two practical mismatches you should address before installing or running it: (1) SKILL.md requires reading the target crate's Cargo.toml and source files and emitting [FILE:LINE] evidence, yet the skill metadata does not declare any required config paths or how the agent will access the repository — confirm the agent runtime will be allowed to read your repo and that exposing file:line output is acceptable; (2) the workflow mandates loading 'beagle-rust:review-verification-protocol' before reporting, but that protocol is not included or referenced in the package or install spec — ask the publisher where that protocol comes from and inspect it before trusting its use. If you plan to run this skill, run it in an environment where you control the repository access and logs, and verify any external protocol or helper is available locally or reviewed separately. If those two points are resolved (local file access and the verification protocol are explicit and trustworthy), the skill is coherent for its stated purpose.

Like a lobster shell, security has layers — review code before you run it.

latestvk9708ktts8b9bv1at58d6znz2n85a2w2
91downloads
0stars
2versions
Updated 5d ago
v1.0.1
MIT-0
Kevin Anderson@anderskev
latest
Download

Macros Code Review

Review Workflow

  1. Check Cargo.toml -- Note Rust edition (2024 reserves gen keyword, affecting macro output), proc-macro crate dependencies (syn, quote, proc-macro2), and feature flags (e.g., syn with minimal features)
  2. Check macro type -- Determine if reviewing declarative (macro_rules!), function-like proc macro, attribute macro, or derive macro
  3. Check if a macro is needed -- If the transformation is type-based, generics are better. Macros are for structural/repetitive code generation that generics cannot express
  4. Scan macro definitions -- Read full macro bodies including all match arms, not just the invocation site
  5. Check each category -- Work through the checklist below, loading references as needed
  6. Gates -- Complete Gates below before reporting; do not substitute informal “I verified.”

Gates (before reporting findings)

Complete in order. Do not emit findings until Gate 4 passes for each issue.

Gate 1 — Crate context (on disk)
PASS when: You opened the reviewed crate’s Cargo.toml (workspace member path if applicable) and recorded Rust edition, whether the crate is proc-macro = true, and relevant proc-macro dependencies or syn / quote feature flags.
Blocks rationalization: Edition 2024 findings (gen, unsafe extern, generated unsafe bodies) and syn “full” vs minimal flags require this — do not flag edition-specific macro output without matching edition from the file.

Gate 2 — Macro definitions read
PASS when: For every macro you critique, you read the full definition (all macro_rules! arms, or the proc-macro entry plus helpers you rely on), not only call sites or partial expansions.
Artifact: At least one path per macro to the defining .rs file(s) you used.

Gate 3 — Per-finding evidence
PASS when: Each planned issue has [FILE:LINE] from the current tree for the macro definition, attribute/derive site, or generated code location you are discussing (not from memory, docs-only, or another branch).

Gate 4 — Pre-report protocol
PASS when: You loaded and applied beagle-rust:review-verification-protocol, including Macro-Specific Verification for hygiene, fragment type, and proc-macro performance claims. Then add findings.

Output Format

Report findings as:

[FILE:LINE] ISSUE_TITLE
Severity: Critical | Major | Minor | Informational
Description of the issue and why it matters.

Quick Reference

Issue TypeReference
Fragment types, repetition, hygiene, declarative patternsreferences/declarative-macros.md
Proc macro types, syn/quote, spans, testingreferences/procedural-macros.md

Review Checklist

Declarative Macros (macro_rules!)

  • Correct fragment types used (:expr vs :tt vs :ident -- wrong choice causes unexpected parsing)
  • Repetition separators match intended syntax (, vs ; vs none, * vs +)
  • Trailing comma/semicolon handled (add $(,)? or $(;)? at end of repetition)
  • Matchers ordered from most specific to least specific (first match wins)
  • No ambiguous expansions -- each metavariable appears in the correct repetition depth in the transcriber
  • Variables defined in the macro use macro-internal names (hygiene protects variables, not types/modules/functions)
  • Exported macros (#[macro_export]) use $crate:: for crate-internal paths, never crate:: or self::
  • Standard library paths use ::core:: and ::alloc:: (not ::std::) for no_std compatibility
  • compile_error! used for meaningful error messages on invalid input patterns
  • Macro placement respects textual scoping (defined before use) unless #[macro_export]

Procedural Macros

  • syn features minimized (don't enable full when derive suffices -- reduces compile time)
  • Spans propagated from input tokens to output tokens (errors point to user code, not macro internals)
  • Span::call_site() used for identifiers that should be visible to the caller
  • Span::mixed_site() used for identifiers private to the macro (matches macro_rules! hygiene)
  • Error reporting uses syn::Error with proper spans, not panic!
  • Multiple errors collected and reported together via syn::Error::combine
  • proc-macro2 used for testing (testable outside of compiler context)
  • Generated code volume is proportionate -- proc macros that emit large amounts of code bloat compile times

Derive Macros

  • Derivation is obvious -- a developer could guess what it does from the trait name alone
  • Helper attributes (#[serde(skip)] style) are documented
  • Trait implementation is correct for all variant shapes (unit, tuple, struct variants)
  • Generated impl blocks use fully qualified paths (::core::, $crate::)

Attribute Macros

  • Input item is preserved or intentionally transformed (not accidentally dropped)
  • Attribute arguments are validated with clear error messages
  • Test generation patterns (#[test_case] style) produce unique test names
  • Framework annotations document what code they generate

Edition 2024 Awareness

  • Macro output does not use gen as an identifier (reserved keyword -- use r#gen or rename)
  • Generated unsafe fn bodies use explicit unsafe {} blocks around unsafe ops
  • Generated extern blocks use unsafe extern

Generics vs Macros

Flag a macro when the same result is achievable with generics or trait bounds. Macros are appropriate when:

  • The generated code varies structurally (not just by type)
  • Repetitive trait impls for many concrete types
  • Test batteries with configuration variants
  • Compile-time computation that const fn cannot express

Severity Calibration

Critical (Block Merge)

  • Macro generates unsound unsafe code
  • Hygiene violation in macro that outputs unsafe blocks (caller's variables leak into unsafe context)
  • Proc macro panics instead of returning compile_error! (crashes the compiler)
  • Derive macro generates incorrect trait implementation (violates trait contract)

Major (Should Fix)

  • Exported macro uses crate:: or self:: instead of $crate:: (breaks for downstream users)
  • Exported macro uses ::std:: instead of ::core::/::alloc:: (breaks no_std users)
  • Wrong fragment type causing unexpected parsing (:expr where :tt needed, or vice versa)
  • Proc macro enables syn full features unnecessarily (compile time cost)
  • Missing span propagation (errors point to macro definition, not invocation)
  • No error handling in proc macro (panics on bad input instead of compile_error!)

Minor (Consider Fixing)

  • Missing trailing comma/semicolon tolerance in repetition patterns
  • Matcher arms not ordered most-specific-first
  • Macro used where generics would be clearer and equally expressive
  • Missing compile_error! fallback arm for invalid patterns
  • Helper attributes undocumented

Informational (Note Only)

  • Suggestions to split complex macro_rules! into a proc macro
  • Suggestions to reduce generated code volume
  • TT munching or push-down accumulation patterns that could be simplified

Valid Patterns (Do NOT Flag)

  • macro_rules! for test batteries -- Generating repetitive test modules from a list of types/configs
  • macro_rules! for trait impls -- Implementing a trait for many concrete types with identical bodies
  • TT munching -- Valid advanced pattern for recursive token processing
  • Push-down accumulation -- Valid pattern for building output incrementally across recursive calls
  • #[macro_export] with $crate -- Correct way to make macros usable outside the defining crate
  • Span::call_site() for generated functions -- Intentionally making generated items visible to callers
  • syn::Error::to_compile_error() -- Correct error reporting pattern in proc macros
  • trybuild tests for proc macros -- Standard compile-fail testing approach
  • Attribute macros on test functions -- Common pattern for test setup/teardown
  • compile_error! in impossible match arms -- Good practice for catching invalid macro input

Comments

Loading comments...