My Awesome Tools
Security checks across static analysis, malware telemetry, and agentic risk
Overview
Most scripts are simple local generators, but the code review assistant appears to present a canned report as if it actually reviewed the user's code.
Install only if you are comfortable reviewing and running local shell scripts. Use the generators in a scratch or backed-up directory, do not rely on the code-review assistant for real security review, and avoid supplying GitHub credentials unless the implementation is audited and the token is narrowly scoped.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user may believe their real code was reviewed, miss actual vulnerabilities, or act on fake findings from the canned report.
The review command accepts a target path but the shown code does not read or analyze that target; it prints a hardcoded example report and says the review is complete. This conflicts with the advertised code-review automation and could mislead users.
echo "📁 Reviewing: $TARGET" ... cat << 'REPORT'
### Code Review Report
... File: example.js ...
REPORT
echo -e "${GREEN}✅ Review complete!${NC}"Treat this script as a placeholder, not a real code review tool. The publisher should either implement actual target analysis or clearly label the output as a demo/sample.
Running the script in the wrong project directory could replace an existing README.
The README generator writes directly to README.md in the current directory, which is expected for a generator but can overwrite an existing file without a confirmation or backup.
echo "$CONTENT" > README.md
Run generators in a clean or backed-up directory, and review pending file changes before committing them.
If a user later provides a broad GitHub token, it could grant repository access beyond what is needed.
The script references a GitHub token for PR review functionality. This is purpose-aligned, but it is a sensitive account credential and the current included code does not show actual token use or scoping.
echo "⚠️ GitHub integration not configured" echo " Set GITHUB_TOKEN to enable PR reviews"
Only use a minimally scoped GitHub token, and inspect any future PR-review implementation before providing credentials.
A generated page may execute third-party CDN code when opened or deployed.
Generated landing pages load JavaScript from third-party CDNs. That is common for quick templates, but it adds runtime supply-chain dependencies to the generated site.
<script src="https://cdn.tailwindcss.com"></script> <script src="https://unpkg.com/react@18/umd/react.development.js"></script> <script src="https://unpkg.com/react-dom@18/umd/react-dom.development.js"></script>
For production, pin versions, consider subresource integrity or local builds, and review generated HTML before deployment.