Quack Code Review Hardened
ReviewAudited by ClawScan on May 10, 2026.
Overview
This code-review skill is transparent that it sends selected code to an external analysis service, with documented consent and secret-checking guardrails, but users should treat uploaded code as sensitive.
Before installing or using this skill, be comfortable with sharing selected code with LogicArt or the linked repository scanner. Approve each upload deliberately, avoid full-repository scans unless necessary, and check files for API keys, passwords, private keys, or proprietary material before sending.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Code you ask the skill to analyze may leave your machine or workspace and be processed by an external service.
The helper sends the provided source code to an external LogicArt API. This is central to the skill's purpose and disclosed, but source code may contain proprietary logic or secrets.
const API = 'https://logic.art/api/agent/analyze'; ... body: JSON.stringify({ code, language: language || 'unknown' })Only approve specific files or snippets you intend to share, remove embedded secrets first, and review LogicArt/Validate Repo privacy terms before uploading private code.
If pointed at the wrong file, the helper could upload non-code or sensitive local content.
The tool can read any path supplied with --file and then upload its contents. That is expected for code review, but it depends on the agent/user limiting use to intended code files.
if (args.file) { code = readFileSync(args.file, 'utf8'); ... } ... await fetch(API, { method: 'POST', ... })Use the --file option only for files you explicitly want reviewed, and follow the SKILL.md guardrails requiring approval and secret checks before upload.
The command may fail or behave differently if Node is not available, despite metadata saying no binaries are required.
The documented workflow relies on a local Node runtime, while the registry requirements declare no required binaries. This is a minor metadata/runtime declaration gap rather than hidden installation behavior.
node {baseDir}/scripts/analyze.mjs --file path/to/code.jsDeclare Node as a required binary or document the runtime requirement clearly in installation metadata.