ClawHub

featurelint

v1.0.1

Statically analyze code for feature flag hygiene issues like stale flags, SDK misuse, safety risks, and architecture problems before production deployment.

0· 48·0 current·0 all-time
by@suhteevah
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoCan make purchasesRequires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description (feature flag hygiene static analysis) matches the included files and runtime behavior: bash-based file discovery, POSIX ERE pattern matching, and reporting. Required files, CLI flags, and license-related env vars align with a local analyzer and its tiering model.
Instruction Scope
SKILL.md instructs the agent to run the provided dispatcher/scan/analyzer scripts to inspect the codebase. The scripts operate on files found under the target directory and produce local reports — this is expected for a static analyzer. There are no instructions to read unrelated system secrets, ssh keys, or to transmit scan results to third parties.
Install Mechanism
There is no install spec; the skill is instruction/script-based and runs entirely from the included scripts. No downloads or external installers are invoked by default, which minimizes supply-chain risk.
Credentials
Environment variables declared in SKILL.md (FEATURELINT_LICENSE_KEY, FEATURELINT_TIER, FORMAT, etc.) are appropriate for a tiered product. One noteworthy behavior: when FEATURELINT_LICENSE_KEY is set the license module may perform an online validation via curl to https://featurelint.pages.dev/api/validate and will cache license state in ~/.cache/featurelint/license.cache. This is proportional to license checking but is the only network activity and is triggered only when a license key is provided.
Persistence & Privilege
The skill does not request always:true and does not modify other skills. It writes a small license cache under the user's home directory (~/ .cache/featurelint) which is consistent with offline/online license validation and not unexpected for this product.
Assessment
This skill appears to be a self-contained bash static analyzer and is internally consistent. Before installing or running it in CI, review and consider: (1) the scripts will scan files under the provided target directory — avoid pointing it at directories with secrets if you don't want local scanning of them; (2) if you set FEATURELINT_LICENSE_KEY the tool may make a short network call to https://featurelint.pages.dev/api/validate and will cache the license in ~/.cache/featurelint — only provide a license key you trust this package with; (3) because it's script-based with no install stage, you can safely inspect the included scripts locally and run them in a sandbox or ephemeral environment first. No unrelated credentials or elevated privileges are requested by the skill.

Like a lobster shell, security has layers — review code before you run it.

latestvk9768fd3vx1g5fwn5nptp9nm1184tt7q

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments