ClawHub

Urlsession Code Review

v1.2.1

Reviews URLSession networking code for iOS/macOS. Covers async/await patterns, request building, error handling, caching, and background sessions.

0· 165·1 current·1 all-time
byKevin Anderson@anderskev

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for anderskev/urlsession-code-review.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Urlsession Code Review" (anderskev/urlsession-code-review) from ClawHub.
Skill page: https://clawhub.ai/anderskev/urlsession-code-review
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install urlsession-code-review

ClawHub CLI

Package manager switcher

npx clawhub@latest install urlsession-code-review
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (URLSession code review) matches the provided SKILL.md and reference documents. The skill is instruction-only, requests no binaries, env vars, or config paths, and does not attempt to perform unrelated platform actions.
Instruction Scope
SKILL.md defines a narrow, well-scoped review workflow (gates, file:line citations, checklist items) that confines the agent to analyze code containing URLSession/URLRequest/etc. It does not instruct the agent to read system-wide files, environment variables, or send data to external endpoints. Note: the skill expects to read the files under review (it requires citing file:line), so it will process any code the user provides.
Install Mechanism
No install spec is present (instruction-only), so nothing will be downloaded or written to disk by an installer step — lowest-risk installation profile.
Credentials
The skill declares no required environment variables, credentials, or config paths. Reference docs discuss Keychain and file operations only as guidance for reviewed code; the skill itself does not request secrets or unrelated credentials.
Persistence & Privilege
always:false (normal). disable-model-invocation is false, meaning the agent can autonomously invoke the skill per platform defaults — this is expected for skills but increases blast radius compared to a manually-invoked-only skill. There is no request to modify other skills or persistent system settings.
Assessment
This skill is coherent and appears to do what it says: a local code-review checklist for URLSession usage. Before installing: (1) remember it will analyze any code files you give it, so avoid providing files containing secrets or unrelated private data; (2) the owner and homepage are unknown — review the SKILL.md and reference docs yourself to confirm they match your expectations; (3) if you prefer the skill not be invoked autonomously, consider disabling model invocation or restricting skill usage in your agent settings; (4) because the skill is instruction-only, it won’t download code during install, but the agent may process and summarize code you upload — treat outputs as assistant-generated guidance, not a replacement for a human security review.

Like a lobster shell, security has layers — review code before you run it.

latestvk972cptsje7k3p2675gjahgjfd85atgt
165downloads
0stars
2versions
Updated 6d ago
v1.2.1
MIT-0
Kevin Anderson@anderskev
latest
Download

URLSession Code Review

Quick Reference

TopicReference
Async/Awaitasync-networking.md
Requestsrequest-building.md
Errorserror-handling.md
Cachingcaching.md

Review Checklist

Response Validation

  • HTTP status codes validated - URLSession does NOT throw on 404/500
  • Response cast to HTTPURLResponse before checking status
  • Both transport errors (URLError) and HTTP errors handled

Memory & Resources

  • Downloaded files moved/deleted (async API doesn't auto-delete)
  • Sessions with delegates call finishTasksAndInvalidate()
  • Long-running tasks use [weak self]
  • Stored Task references cancelled when appropriate

Configuration

  • timeoutIntervalForResource set (default is 7 days!)
  • URLCache sized adequately (default 512KB too small)
  • Sessions reused for connection pooling

Background Sessions

  • Unique identifier (especially with app extensions)
  • File-based uploads (not data-based)
  • Delegate methods used (not completion handlers)

Security

  • No hardcoded secrets (use Keychain)
  • Header values sanitized for CRLF injection
  • Query params via URLComponents (not string concat)

Hard gates (before reporting findings)

Complete in order. Do not advance while a prior gate is open.

  1. ScopePass: You name at least one file under review where URLSession, URLRequest, HTTPURLResponse / URLResponse, URLCache, or URLError appears on a networking path. If none apply, stop with “out of scope.”
  2. HTTP vs transportPass: Before claiming missing HTTP status handling or “404 treated as success,” you cite file:line for the completion/async/for await path that receives response and state whether HTTPURLResponse is cast and statusCode is checked (or cite the helper that does). If you cannot see the handler, say unknown and ask for it—do not assume.
  3. Session lifecyclePass: For a custom URLSession with a delegate, you cite finishTasksAndInvalidate() or the documented long-lived/singleton pattern you rely on; for .shared, say so if the finding depends on configuration. Skip if only ad hoc URLSession.shared one-shots with no delegate issues.
  4. Background or file transfer (if applicable)Pass: If URLSessionConfiguration.background, downloadTask, or app-extension–scoped sessions appear, findings cite identifier uniqueness, delegate vs completion-handler usage, or file URLs as required. If none of those APIs appear, mark N/A and continue.
  5. Severity and checklistPass: Every Critical item includes file:line and names which Review Checklist subsection it violates (e.g. Response Validation, Background Sessions). Lower-severity items still name the file(s) they are drawn from.

Output Format

### Critical
1. [FILE:LINE] Missing HTTP status validation
   - Issue: 404/500 responses not treated as errors
   - Fix: Check `httpResponse.statusCode` is 200-299

Comments

Loading comments...