ClawHub

Nm Pensive Blast Radius

v1.0.0

Analyze the blast radius of code changes with risk scoring. Shows affected nodes, untested functions, and review priorities using the code knowledge graph

0· 53·1 current·1 all-time
by@athola
Security Scan
Capability signals
Crypto
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The skill claims to compute blast radius using a code knowledge graph and its runtime instructions actually attempt graph queries, fall back to cross-file tracing tools, and use git diffs — these are appropriate for the stated purpose.
Instruction Scope
Instructions stay within codebase analysis (git, rg/grep, sem) and optionally invoke a local gauntlet graph_query.py; this is expected, but the skill explicitly runs code found under ~/.claude/plugins which is arbitrary local code and should be trusted/inspected before executing.
Install Mechanism
No install spec or external downloads — instruction-only. That lowers installation risk; the only runtime risk is executing existing local tooling (python3, sem, rg) if present.
Credentials
The skill does not request environment variables or external credentials. However it will read and execute a Python script from the user's ~/.claude/plugins path and scan the repository files; these operations are proportional to impact analysis but require trusting local plugin code.
Persistence & Privilege
The skill is not always-enabled and does not request elevated or persistent privileges or modify other skills. It runs only when invoked and performs local analysis commands.
Scan Findings in Context
[no-regex-findings] expected: The package is instruction-only with no code files, so the regex-based scanner had nothing to analyze — this is expected but leaves runtime behavior determined entirely by the SKILL.md steps.
Assessment
This skill appears to do what it says: it inspects git changes and (when available) queries a local code-graph tool. Before using it, ensure any local tooling it runs is trustworthy: verify the contents of ~/.claude/plugins/gauntlet/graph_query.py (or equivalent), and be cautious about running unknown Python/CLI tools. If you prefer safety, run the commands in a disposable container or inspect outputs manually instead of auto-executing the suggested scripts. If you don't have the gauntlet plugin or sem installed, the fallback grep/rg approach is less powerful but avoids executing third-party Python code.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

🦞 Clawdis
latestvk970sey649s2ahjnkgy3rf63yd84wver
53downloads
0stars
1versions
Updated 4d ago
v1.0.0
MIT-0
@athola
latest
Download

Night Market Skill — ported from claude-night-market/pensive. For the full experience with agents, hooks, and commands, install the Claude Code plugin.

Blast Radius Analysis

Analyze the impact of current code changes using the code knowledge graph.

Prerequisites

This skill requires the gauntlet plugin for graph data. Check if it's available:

GRAPH_QUERY=$(find ~/.claude/plugins -name "graph_query.py" -path "*/gauntlet/*" 2>/dev/null | head -1)

If gauntlet is not installed (GRAPH_QUERY is empty): Fall back to a manual impact analysis using git diff and grep to trace imports and call sites. Skip graph steps and go directly to step 3 (manual mode).

If gauntlet is installed but no graph.db exists: Tell the user: "Run /gauntlet-graph build first."

Steps

  1. Show current changes: Run git diff --stat to show the user what files changed.

  2. Run impact analysis (requires gauntlet):

    python3 "$GRAPH_QUERY" \
    --action impact --base-ref HEAD --depth 2

    Fallback tier 1 (sem available, no gauntlet): Use sem for cross-file dependency tracing:

    if command -v sem &>/dev/null; then
  sem impact --json <changed-file>
fi

    This traces real function-level dependencies instead of filename matching. See leyline:sem-integration for detection patterns.

    Fallback tier 2 (no sem, no gauntlet): Trace callers of changed functions with rg (or grep):

    # Prefer rg for speed; fall back to grep
if command -v rg &>/dev/null; then
  git diff --name-only HEAD | while read f; do
    rg -l "$(basename $f .py)" --type py . 2>/dev/null
  done | sort -u
else
  git diff --name-only HEAD | while read f; do
    grep -rl "$(basename $f .py)" --include="*.py" . 2>/dev/null
  done | sort -u
fi

  3. Display results in priority order:

    Format the output as a table:

    Risk  | Node                    | File          | Reason
0.85  | auth.py::verify_token   | auth.py:45    | untested, security
0.62  | db.py::execute_query    | db.py:112     | high fan-in
0.41  | api.py::handle_request  | api.py:78     | flow participant

  4. Highlight untested functions: List any affected functions that lack test coverage (no TESTED_BY edge).

  5. Show overall risk: Display the overall risk level (low/medium/high) based on the maximum risk score.

  6. Suggest actions:

    • For high-risk nodes: "Consider adding tests before merging"
    • For security-sensitive nodes: "Review authentication and authorization logic carefully"
    • For high-fan-in nodes: "Changes here affect many callers; verify backward compatibility"

Risk Scoring Model

Five weighted factors (sum capped at 1.0):

FactorWeightMeaning
Test gap0.30No test coverage
Security0.20Auth/crypto/SQL keywords
Flow participation0.25Part of execution flows
Cross-community0.15Called from other modules
Caller count0.10High fan-in function

Comments

Loading comments...