Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Review Python
v1.0.0Comprehensive Python/FastAPI backend code review with optional parallel agents
⭐ 0· 16·1 current·1 all-time
byKevin Anderson@anderskev
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md implements a coherent Python/FastAPI review workflow (git diff, lint, detect frameworks, load per-technology skills). However, the skill declares no required binaries or environment variables while the instructions assume command-line tools (git, grep, ruff, mypy) are present. That discrepancy is unexpected and should be clarified.
Instruction Scope
Instructions stay within code-review scope (operate on diff, run linters, detect tech, load review skills). They do instruct recursive greps and running linters across changed files, and to load/launch other skills and subagents. Loading external skills/subagents can expand the attack surface because those skills may themselves request credentials or network access; the instructions do not document or constrain what data is shared with loaded skills.
Install Mechanism
This is an instruction-only skill with no install spec and no code files — lowest install risk. Nothing is written to disk by the skill itself.
Credentials
The skill declares no credentials or config path requirements, which is appropriate for a static code-review helper. However, because it instructs loading other named skills (e.g., beagle-python, beagle-ai) and spawning subagents, those downstream skills may require environment variables or credentials — the current skill does not document or restrict that. Also it omits declaring the CLIs it will invoke.
Persistence & Privilege
always:false and disable-model-invocation:true reduce privilege and autonomous invocation risk. The skill does not request persistent system-wide changes or modify other skills' configs.
What to consider before installing
This skill appears to be a legitimate, instruction-only Python/FastAPI review helper, but check a few things before installing or running it:
- Tool availability: SKILL.md expects git, grep, ruff, and mypy. Confirm these CLIs are available where the skill will run (CI runner, developer machine). The registry metadata listing no required binaries is inconsistent with the instructions.
- External skills: The skill instructs loading named skills (beagle-python, beagle-ai, etc.) and spawning subagents. Review those skills' permissions, environment requirements, and network behavior before allowing them, since they may request credentials or send data externally.
- Data exposure: The skill operates on your repository diff and will run greps/linters over code. Run it in a workspace that does not contain secrets or sensitive files, or ensure the review environment is isolated.
- Linter reliance: The workflow explicitly trusts project linter configs (ruff/mypy). That's reasonable, but if you want additional security checks, ensure you run independent security/static-analysis tools as well.
If you want to proceed, ask the skill author to (1) declare the expected binaries in the metadata, (2) document exactly what data is shared with loaded skills/subagents, and (3) provide links or provenance for the named external skills so you can review their behavior before use.Like a lobster shell, security has layers — review code before you run it.
latestvk97fh56yc9c8jh6ynq89g4v65s84j36q
License
MIT-0
Free to use, modify, and redistribute. No attribution required.