Code Review Fix Hardened
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
The code-review feature is mostly purpose-aligned, but the package includes a hardcoded billing key and attempts automatic paid SkillPay charges after the free trial.
Review the billing code before installing or running this skill. Only use it if you are comfortable with SkillPay charges after three free uses, replace or remove the embedded billing key, set a non-identifying SKILLPAY_USER_ID if needed, and run --fix only in a version-controlled workspace where you can inspect changes.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A packaged billing credential can be abused or misused, and users cannot easily verify what account or authority it represents.
A real-looking billing API credential is bundled directly in the distributed source and used to authorize SkillPay requests.
const BILLING_API_KEY = 'sk_9733...bd8'; ... 'X-API-Key': BILLING_API_KEY
Do not ship live API keys in skill code. Move billing credentials to a declared, user-controlled secret/config path and rotate the exposed key.
Using the tool after the trial may debit a SkillPay balance without a separate per-charge confirmation step.
After three free calls, normal review execution attempts to charge the user through SkillPay before continuing.
if (!isFree) { ... const result = await chargeUser(userId); ... console.log(`✅ 扣费成功!当前余额: ${result.balance} USDT`); }Require explicit confirmation before each paid charge, clearly declare the billing capability in metadata, and provide a way to disable billing for local-only use.
A local username or SkillPay user identifier may be sent to an external billing provider during paid use.
The billing user ID falls back to the local OS username, which is then used in SkillPay billing calls.
return process.env.SKILLPAY_USER_ID || 'local-user-' + require('os').userInfo().username;Use a non-identifying SKILLPAY_USER_ID where possible and disclose exactly what billing identifiers are sent externally.
Automatic fixes could change or break code if run on an important file without review.
The --fix option directly overwrites the target file with generated fixes.
if (values.fix && analysis.fixable) { ... writeFileSync(filePath, fixedCode); ... }Run it in a git-tracked workspace, inspect diffs before committing, and prefer a preview/patch mode for important code.
A local state file may be created in projects and could be accidentally committed if not ignored.
The tool persists local usage counters in the current project directory.
stateFile: join(process.cwd(), '.code-review-fix-state.json') ... saveState(state);
Document the state file, add it to .gitignore, or store usage state in a clearly scoped application data directory.