ClawHub

Code Review Assistant

v1.0.0

自动化代码审查助手,支持 PR 审查、代码质量分析、潜在 bug 检测、安全漏洞扫描。

0· 1.2k·7 current·7 all-time
by@sunshine-del-ux
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The name and description promise automated, multi-language code analysis, bug detection, and vulnerability scanning. The repository contains only a small Bash script that prints hard-coded example reports and a brief handling of git diff; it does not actually parse files, run linters, static analyzers, or call any security scanners. This is a mismatch between claimed capability and actual implementation.
!
Instruction Scope
SKILL.md instructs the user to run commands like 'review', 'diff', and 'pr' and claims built-in analysis for many languages. The shell script's 'review' command never reads or analyzes the target file/directory contents (it simply prints a canned report). The 'pr' command only prints a note about GITHUB_TOKEN and does not implement PR fetching. The instructions therefore overstate functionality and give the agent broad discretion without backing implementation.
Install Mechanism
No install spec or external downloads are present; the skill is instruction-only with a bundled shell script. No network fetches or archive extraction are specified, which is low-risk from an install perspective.
Credentials
No required environment variables are declared. The script mentions GITHUB_TOKEN in output text as an optional configuration for PR reviews; this is reasonable if PR integration were implemented, but currently GITHUB_TOKEN is not used in code. If PR support were added, a GitHub token would be expected; do not supply a token until you inspect and trust any code that uses it.
Persistence & Privilege
The skill does not request persistent presence (always: false) and does not modify system configuration. It does not write files or install system-wide changes by itself.
What to consider before installing
This skill claims to perform automated, multi-language code reviews and vulnerability scans, but the included code is just a small Bash script that prints example reports rather than analyzing your code. If you expect real analysis, do not rely on this skill yet. Before installing or granting any secrets (e.g., GITHUB_TOKEN): 1) inspect the script and any other code to confirm it actually performs analysis (search for calls to linters, static analyzers, or network APIs); 2) run it in a sandbox or test repo to observe behavior; 3) do not provide tokens or integrate into CI until the PR logic and credential handling have been reviewed; 4) if you need genuine code scanning, prefer well-known tools (semgrep, eslint, bandit, gosec, etc.) or a skill that clearly documents and executes those engines. The mismatch between claims and implementation is a red flag—treat this as a stub or demo, not a production analyzer.

Like a lobster shell, security has layers — review code before you run it.

code-reviewvk970fe3b6rdx2aqv0x8rvjb26n82440vlatestvk970fe3b6rdx2aqv0x8rvjb26n82440vlintervk970fe3b6rdx2aqv0x8rvjb26n82440vqualityvk970fe3b6rdx2aqv0x8rvjb26n82440vsecurityvk970fe3b6rdx2aqv0x8rvjb26n82440v

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔍 Clawdis

Comments