Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
python-code-analyz
v1.0.0专业Python代码分析与优化,支持语法检查、安全扫描、性能评估、复杂度分析及重构后的优化代码生成。
⭐ 0· 65·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description (Python code analysis, security/performance checks, refactoring) align with the included code, docs, and examples. The code implements AST-based checks, secret pattern detection, timeout checks, SQL/command injection heuristics, etc., which are expected for this purpose. Repository metadata and SKILL.md match the analyzer functionality.
Instruction Scope
SKILL.md instructs standard repo actions (git clone, pip install -r requirements.txt, run analyzer or paste code for analysis). It does not instruct reading unrelated host files or sending data to unexpected external endpoints. Minor notes: example.py writes a sample file to /tmp (benign but will create/overwrite files there), SKILL.md and README contain placeholder GitHub URLs (yourusername) which are not real — verify repository/source before cloning. The example includes a hardcoded API key purely as demonstration; treat such examples as insecure if copied into production.
Install Mechanism
There is no automated install spec in the registry metadata (instruction-only skill). SKILL.md suggests pip install from local repo and requirements.txt is empty (standard-library-only), so no remote installers or downloads are required. publish.sh and PUBLISH.md call a ClawHub CLI for publishing only; they do not download arbitrary code. Overall low install risk.
Credentials
The skill requests no environment variables, no credentials, and no config paths. The code recommends using environment variables for secrets (os.getenv) in suggestions but does not require any secrets. No evidence of credential exfiltration or calls that would need unrelated credentials.
Persistence & Privilege
Flags are standard: always:false, user-invocable:true, autonomous invocation allowed (default). The skill does not request permanent system presence or modify other skills' configs. publish.sh contains operations to publish the skill (requires clawhub login) but that is a normal developer helper and not an elevation of privilege.
Assessment
This skill appears coherent with its stated purpose (static Python analysis and auto-refactoring) and doesn't ask for credentials or download code from arbitrary URLs. Before installing or running: 1) Inspect the remaining parts of analyzer.py (the provided snippet was truncated) to confirm there are no hidden network calls or file exfiltration; 2) Run the tool in a sandboxed environment or container first; 3) Do not run publish.sh unless you intend to publish and have the ClawHub CLI and account — it requires a logged-in user and will call clawhub publish; 4) Treat example code that includes hardcoded API keys as purely illustrative and never copy such secrets into real projects. If you want, I can fully scan the remaining parts of analyzer.py (provide the truncated portion) or run a targeted static check for network/subprocess/file-write patterns.analyzer.py:337
Dynamic code execution detected.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
code-reviewvk974ccgv1e0p9bqww815mhf1vh83bppslatestvk974ccgv1e0p9bqww815mhf1vh83bppsoptimizationvk974ccgv1e0p9bqww815mhf1vh83bppspythonvk974ccgv1e0p9bqww815mhf1vh83bppssecurityvk974ccgv1e0p9bqww815mhf1vh83bppsstatic-analysisvk974ccgv1e0p9bqww815mhf1vh83bpps
License
MIT-0
Free to use, modify, and redistribute. No attribution required.