Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
deadcode
v1.0.1Dead code and unused export detector — scans JavaScript/TypeScript, Python, Go, Java, and CSS for dead code, orphan files, unused exports, and code cruft
⭐ 0· 43·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Benign
high confidencePurpose & Capability
Name/description match the code: bash-based pattern scanner, language detection, report generation, and optional hook integration. Requested binaries (git, bash, python3, jq) and the lefthook brew formula are directly used by the scripts and align with the advertised features.
Instruction Scope
Runtime instructions and scripts operate locally (find/grep/awk/sed) and perform scanning, report generation, and installation/removal of lefthook hooks. They read and write ~/.openclaw/openclaw.json for license/config and will copy lefthook.yml into repo roots and run lefthook install—expected for pre-commit integration but notable because it modifies repo-level files and causes scripts to execute on each commit.
Install Mechanism
Install step is a single Homebrew formula (lefthook). No network downloads from arbitrary URLs or extracted archives are used; scripts are provided in the skill bundle. This is a low-risk install mechanism consistent with the stated purpose.
Credentials
Primary credential DEADCODE_LICENSE_KEY is justified by the Pro/Team features documented; the scripts also read/write ~/.openclaw/openclaw.json to persist keys and ignores (this path is declared in the SKILL metadata). One optional environment variable (CLAWHUB_JWT_SECRET) is referenced in license verification for signature checking but is not required — it only enables stronger local token verification when set.
Persistence & Privilege
always:false and model invocation are normal. The only persistence is writing/reading ~/.openclaw/openclaw.json (to store apiKey/ignore rules) and optionally adding lefthook.yml to repositories — both are appropriate for this skill but do modify user config and project files. Installing hooks will cause the skill's scripts to be sourced during commits.
Assessment
This skill is internally consistent with a local dead-code scanner. Before installing: (1) review the included scripts (scripts/*.sh) yourself — pre-commit hooks will source these files on every commit and can run arbitrary shell commands; (2) be aware that installing hooks will add/modify lefthook.yml in your repo and call `lefthook install`; (3) Pro/Team features require a JWT-style license key (DEADCODE_LICENSE_KEY) which the skill stores and reads from ~/.openclaw/openclaw.json or the environment; if you set CLAWHUB_JWT_SECRET you enable local signature verification; (4) Homebrew will be used to install lefthook. If you trust the skill source and inspect the hook content, it's reasonable to proceed. If you do not trust the source, do not install the hooks and inspect the scripts before running scans.Like a lobster shell, security has layers — review code before you run it.
latestvk9763jk64zdfyz6t9zh0rr1g5h84ts95
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
💀 Clawdis
OSmacOS · Linux · Windows
Binsgit, bash, python3, jq
Primary envDEADCODE_LICENSE_KEY
Install
Install lefthook (git hooks manager)
Bins: lefthook
brew install lefthook