AI Code Review
PassAudited by VirusTotal on May 7, 2026.
Overview
Type: OpenClaw Skill Name: ai-code-review-service Version: 1.1.0 The skill bundle provides a legitimate AI-powered code review service with voice transcription and Discord notifications. The code in `references/code_review_service.py` includes proactive security measures, such as SSRF validation for diff URLs, path traversal protection for audio files using a sandboxed directory, and content escaping to prevent Discord injection. The `scripts/healthcheck.sh` script performs standard system monitoring and service recovery without any signs of malicious intent or unauthorized data exfiltration.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malicious or mistaken diff URL could make the agent contact unintended internal or sensitive network endpoints.
The service fetches a user-supplied diff URL after only textual hostname checks; it allows HTTP and does not resolve or comprehensively block link-local, private IPv6, DNS-rebinding, or alternate IP forms.
ALLOWED_DIFF_SCHEMES = {"https", "http"} ... if hostname in ("localhost", "127.0.0.1", "0.0.0.0", "::1") or hostname.startswith("10.") ... resp = requests.get(diff_url, timeout=REQUEST_TIMEOUT)Require HTTPS, allowlist expected code-hosting domains or repositories, resolve hostnames before fetching, block all private/link-local ranges, and require explicit approval for any internal-network override.
The agent could upload an unintended local file to OpenAI if a crafted path escapes the intended voice-note directory.
The voice-note sandbox uses a string prefix check, so paths in sibling directories with the same prefix can pass; any accepted file is then uploaded to OpenAI for transcription.
if not str(resolved).startswith(str(VOICE_NOTE_BASE_DIR)): ... with open(resolved_path, "rb") as audio_file: transcription = client.audio.transcriptions.create(model="whisper-1", file=audio_file)
Use Path.relative_to or equivalent canonical containment checks, restrict file types and sizes, and ask for clear user confirmation before uploading local files to a provider.
Running the script could disrupt local containers, web services, or other workloads on the machine.
If run, the helper checks and restarts broad host services and writes a protected log file, but the SKILL usage does not clearly present this privileged system-control behavior.
SERVICES=("nginx" "docker" "code-review-service" "whisper-api-gateway") ... LOG_FILE="/var/log/code_review_healthcheck.log" ... systemctl restart "$service"Do not run the healthcheck unless you intentionally want it to manage those services; narrow the service list, add dry-run/confirmation behavior, and document required privileges and side effects.
Users may not realize the skill needs an OpenAI key and may post messages to a Discord channel through the configured webhook.
The skill needs provider credentials and a webhook for its stated integrations, but the registry metadata declares no required environment variables or primary credential.
`OPENAI_API_KEY` | Yes | OpenAI API key for Whisper transcription | ... `DISCORD_WEBHOOK_URL` | No | Discord webhook for review notifications |
Declare these credentials in metadata and use least-privilege keys/webhooks dedicated to this skill.
An agent or user may have to improvise setup, which can lead to running the wrong file or installing undeclared packages.
Despite being instruction-only, the artifacts include runnable Python and shell code, undeclared Python dependencies, and a documented command path that does not match the provided file path.
No install spec — this is an instruction-only skill.
Add a clear install/run specification, declare dependencies and environment variables, and make the documented command match the packaged file path.