ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Nm Egregore Quality Gate

v1.0.0

Orchestrates egregore's QUALITY pipeline stage. Runs convention checks and invokes review skills for each quality step. Supports self-review (pre-PR) and PR-...

0· 41·1 current·1 all-time
by@athola
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The name/description (orchestrate QUALITY pipeline, run conventions, invoke review skills) is coherent with the instructions. However the SKILL.md expects access to git, the GitHub CLI (gh), a local conventions/codex.yml, and to run conventions.py and mapped skills. The registry metadata declares no required binaries, no env vars, and no primary credential. That mismatch (declaring nothing while expecting repo and GitHub operations) is a substantive inconsistency.
Instruction Scope
Instructions stay within a plausible 'quality gate' scope: they read changed files, load conventions, run convention checks, invoke mapped review skills, attempt auto-fixes, commit changes, and post GitHub reviews. These steps include repository modification (commits/pushes) and network activity (gh api), which are expected for this purpose but are sensitive actions and should be constrained by declared requirements and safeguards.
Install Mechanism
Instruction-only skill (no install spec, no code files). Low install risk because nothing will be downloaded or written by an installer. The runtime risk depends entirely on what the agent executes per SKILL.md (git/gh/conventions.py), not on an installer.
!
Credentials
The skill requires implicit access to GitHub (to run `gh pr diff` and `gh api`), git commit/push capabilities, and to run conventions.py — but declares no environment variables or credentials. Posting reviews and committing fixes normally requires GH credentials or a configured gh CLI with repo write permissions. The absence of declared credentials is disproportionate and obscures the level of access needed.
Persistence & Privilege
always:false (no forced inclusion). The skill can be invoked autonomously (platform default) and, if invoked, may perform writes to the repository and call GitHub APIs. Autonomous invocation alone is not a fault, but combined with the missing credential declarations it increases operational risk and warrants careful permissioning.
What to consider before installing
Before installing, verify these items: (1) Confirm that git and the GitHub CLI (gh) and a Python runtime are available where the agent will run — SKILL.md implicitly requires them but the skill metadata does not declare them. (2) Decide what credentials the skill will use: posting reviews and committing fixes require GitHub authentication and likely push permissions; use a least-privilege token or ensure gh is configured with appropriate, auditable credentials. (3) Verify the presence and contents of conventions/codex.yml and conventions.py in the repository and confirm their behavior. (4) Inspect every mapped skill (pensive:unified-review, conserve:unbloat, sanctum:update-tests, etc.) because this orchestrator will invoke them and they may run arbitrary code. (5) If possible, run the skill in a dry-run or on a fork/CI job with restricted permissions first. If you require the registry metadata to be accurate, ask the publisher to explicitly list required binaries and any environment variables/permissions the skill needs.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

🦞 Clawdis
latestvk972bmdn3ht3tn9t3wzfcsv6m184pjh2
41downloads
0stars
1versions
Updated 1w ago
v1.0.0
MIT-0
@athola
latest
Download

Night Market Skill — ported from claude-night-market/egregore. For the full experience with agents, hooks, and commands, install the Claude Code plugin.

Quality Gate

When To Use

  • Running quality checks on egregore work items
  • Self-review before creating a PR
  • Reviewing another agent's PR in PR-review mode

When NOT To Use

  • Manual code reviews outside egregore pipeline
  • One-off lint or format checks (use make lint directly)

Orchestrate the QUALITY stage of egregore's pipeline. Each quality step runs convention checks from the codex and invokes mapped skills.

Routing Table

StepConventionsSkillsModes
code-reviewC1,C2,C3,C4,C5pensive:unified-reviewself, pr
unbloat-conserve:unbloatself
code-refinement-pensive:code-refinementself
update-tests-sanctum:update-testsself
update-docsC5sanctum:update-docs, scribe:slop-detectorself

Inputs

The orchestrator invokes this skill with:

  • step: which quality step to run (e.g. "code-review")
  • mode: "self-review" or "pr-review"
  • work_item_id: the manifest work item ID
  • branch: the git branch with changes
  • pr_number: (PR-review mode only) the PR number

Self-Review Workflow

When mode is "self-review":

  1. Get changed files: git diff --name-only main...HEAD
  2. Load conventions from conventions/codex.yml
  3. Filter conventions to those mapped to the current step
  4. Run convention checks via conventions.py
  5. Invoke mapped skills on the changed files
  6. Collect all findings
  7. Calculate verdict

Auto-Fix Loop

If blocking findings exist:

  1. Attempt to fix each finding (skill-dependent)
  2. Commit fixes to the work item branch
  3. Re-run convention checks
  4. If still blocking after 3 attempts, verdict is "fix-required"

Verdict Calculation

if no findings:
    verdict = "pass"
elif all findings are severity "warning":
    verdict = "pass-with-warnings"
elif blocking findings remain after auto-fix:
    verdict = "fix-required"

Record verdict in manifest decisions:

{
  "step": "code-review",
  "chose": "pass-with-warnings",
  "why": "2 warnings (C4: noqa in hooks), 0 blocking"
}

PR-Review Workflow

When mode is "pr-review":

  1. Fetch PR diff: gh pr diff <number> --name-only
  2. Load conventions and filter to code-review step
  3. Run convention checks on changed files
  4. Invoke pensive:unified-review on the diff
  5. Collect all findings

Posting Reviews

Map findings to GitHub review:

  • No findings: gh api POST review with event "APPROVE"
  • Warnings only: POST review with event "COMMENT", findings as inline comments
  • Blocking findings: POST review with event "REQUEST_CHANGES", blocking findings as inline comments with "must fix" prefix

Comment format per finding:

[egregore:{convention_id}] {message}

Convention: {convention_name}
Severity: {severity}

Quality Config

Work items may have a quality_config field:

{
  "skip": ["unbloat"],
  "only": ["code-review", "update-docs"]
}
  • skip: list of steps to skip (run all others)
  • only: list of steps to run (skip all others)
  • If both are set, only takes precedence
  • If neither is set, all steps run (default)

Convention Filtering by Step

Not all conventions run on every step. The routing table above defines which conventions apply to which step. The quality gate filters the loaded codex accordingly before running checks.

Exit Criteria

  • All applicable convention checks executed
  • All mapped skills invoked
  • Verdict calculated and recorded in manifest
  • For PR-review: GitHub review posted

Comments

Loading comments...