ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Receiving Code Review

v0.1.0

Use when receiving code review feedback, before implementing suggestions, especially if feedback seems unclear or technically questionable - requires technical rigor and verification, not performative agreement or blind implementation

1· 3.4k·64 current·69 all-time
by@chenleiyanquan
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the instructions. The skill is prose-only guidance about how to receive and act on code review feedback and does not request unrelated binaries, environment variables, or installs.
Instruction Scope
Instructions repeatedly tell the agent to 'verify against the codebase', 'grep codebase', and to reply in GitHub threads. That is appropriate for a code-review helper, but it implicitly assumes the agent has read (and possibly write) access to the repository and PR comments. The SKILL.md does not request credentials or explicitly limit autonomous actions, so you should confirm the agent's runtime permissions before allowing automatic modifications or commits.
Install Mechanism
No install spec and no code files — lowest-risk delivery. Nothing is downloaded or written to disk by the skill itself.
Credentials
The skill declares no environment variables, secrets, or config paths. No disproportionate credential access is requested.
Persistence & Privilege
always is false and model invocation is not disabled (normal defaults). The skill does instruct taking actions (implement/fix) but does not request persistent presence or modify other skills/config; review agent permissions if you do not want it to act autonomously.
Assessment
This is an instruction-only, coherent code-review checklist that does not request credentials or install anything — low intrinsic risk. Before enabling it, confirm what your agent is allowed to do: if the agent has commit/push or PR-commenting privileges, the skill's instructions to 'just fix it' or 'implement' could lead to automatic code changes; consider keeping the skill user-invocable only or disabling autonomous code-write actions. Also note the skill assumes repository access for verification (grep, tests); if you want to restrict exposure, ensure the agent has read-only access or require human approval before any write operations. Finally, provenance is unknown (no homepage/author details) — benign in function but exercise the usual caution about enabling new skills in production workflows.

Like a lobster shell, security has layers — review code before you run it.

latestvk975kbd2wkfybmb45yeys5x4z1803abn

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments