ClawHub

智能代码审查助手

v1.0.0

代码审查助手 - 自动分析代码,提供审查意见、性能优化建议、安全漏洞检测。支持多种编程语言,生成详细的代码审查报告。

0· 118·0 current·0 all-time
by@ryan-wuxl
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill's name/description advertise a runnable code-review tool, and the SKILL.md shows a command (node scripts/review.mjs). Yet the package contains no code or install spec. Requiring the node binary is plausible, but there is no included review.mjs or any mechanism to obtain it, so the declared capability doesn't match what is actually provided.
!
Instruction Scope
Runtime instructions tell the agent to execute a local Node script (node scripts/review.mjs --file ...). That is scoped to code review, but it's vague about origin of the script. Because the script isn't bundled, the agent would either fail or run an existing local script in the user's workspace — running an arbitrary local Node script without knowing its contents is risky. The instructions do not reference external endpoints or credentials.
Install Mechanism
No install spec is provided (instruction-only). README mentions 'clawhub install code-review-assistant' but no installer or files are included in this package. Lack of an install mechanism reduces immediate supply-chain risk but creates inconsistency about how the tool is supposed to be obtained.
Credentials
The skill declares no required environment variables, credentials, or config paths. That is proportionate for a local code-review helper. There is no evidence it requests unrelated secrets.
Persistence & Privilege
always is false and there is no indication the skill requests permanent presence or modifies other skills/config. Autonomous invocation is allowed (platform default) but does not combine here with broad privileges.
What to consider before installing
This package is inconsistent: it advertises a Node-based code-review tool but does not include the scripts or an install step. Before installing or invoking it, verify the upstream GitHub repository and confirm where scripts/review.mjs comes from. Do not run 'node scripts/review.mjs' (or any unreviewed local Node script) in a production environment — inspect the script contents in a safe sandbox first. Ask the publisher to either include the tool or provide a clear, auditable install step (and the exact repository URL and commit). If you expect the skill to operate on your project files, ensure you understand which files it will read and whether it will transmit results externally.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ew7heqfbkg6zbfh5cpj9hk58386qc

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔍 Clawdis
Binsnode

Comments