ClawHub

concurrencyguard

v1.0.1

Race condition & concurrency safety analyzer -- detects unprotected shared state, missing locks, TOCTOU vulnerabilities, async/await pitfalls, thread-unsafe...

0· 40·0 current·0 all-time
by@suhteevah
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoRequires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (concurrency analysis) match the shipped scripts, regex pattern library, and hook integration. Required binaries (git, bash, python3, jq) are reasonable for code discovery, .gitignore awareness, and config parsing. The primary credential (CONCURRENCYGUARD_LICENSE_KEY) matches advertised Pro/Team features.
Instruction Scope
SKILL.md instructs the agent to run local bash scripts in the skill directory to scan files, install lefthook hooks, or generate reports. The scripts read local files (repo sources, optional ~/.openclaw/openclaw.json), respect .gitignore/allowlists/baselines, and do not perform network calls. Installing hooks will add/modify lefthook.yml in the repository (expected behavior).
Install Mechanism
The only declared install action is a Homebrew formula (lefthook), which is a known git-hook manager; the code also documents an npm alternative. No arbitrary remote downloads or extracted archives were observed.
Credentials
Only the license key (CONCURRENCYGUARD_LICENSE_KEY) is treated as a primary credential. The scripts optionally read ~/.openclaw/openclaw.json to find the key. An optional CLAWHUB_JWT_SECRET is used only to verify JWT signatures if present (not required). No unrelated service credentials or secrets are requested.
Persistence & Privilege
always:false and model invocation allowed (default). The skill writes lefthook.yml to a repository only when the user runs 'hook install' (explicit action). It does not attempt to modify other skills or global agent settings beyond reading ~/.openclaw/openclaw.json for a license key.
Assessment
This skill appears to do what it claims: a local, regex-based concurrency scanner with optional pre-commit hook integration and a paid license for Pro/Team features. Before installing, note: (1) the hook installer will add/append a lefthook.yml in your repo and run lefthook install — back up any existing lefthook.yml if you care about custom hooks; (2) Pro/Team modes require you to provide CONCURRENCYGUARD_LICENSE_KEY (or store it in ~/.openclaw/openclaw.json), and the license-check runs locally (no network calls in the code); (3) the scanner uses many regex patterns and may produce false positives — review findings before making code changes. If you want absolute assurance, inspect the scripts in the skill directory on your machine (scripts/*.sh and config/lefthook.yml) before running hook install.

Like a lobster shell, security has layers — review code before you run it.

latestvk979nnh7exgh4kqfgnzwkckxan84v56f

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Clawdis
OSmacOS · Linux · Windows
Binsgit, bash, python3, jq
Primary envCONCURRENCYGUARD_LICENSE_KEY

Install

Install lefthook (git hooks manager)
Bins: lefthook
brew install lefthook

Comments