Code Review
ReviewAudited by ClawScan on May 10, 2026.
Overview
Prompt-injection indicators were detected in the submitted artifacts (system-prompt-override); human review is required before treating this skill as clean.
This skill looks purpose-aligned for code review. Before using it on sensitive repositories, decide whether external AI review is acceptable; otherwise use local-only behavior or Ollama, and keep provider API keys unset. ClawScan detected prompt-injection indicators (system-prompt-override), so this skill requires review even though the model response was benign.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Private or proprietary code could leave your machine if you configure an external provider and run AI-powered review.
This confirms that code under review may be transmitted to an external or local model provider as part of the intended functionality.
“The full source code and local findings are sent to your chosen AI model (Anthropic, OpenAI, or Ollama)”
Use the local-only or Ollama mode for sensitive repositories, and avoid sending secrets or proprietary code to external providers unless your organization permits it.
Reviews may consume paid API quota and operate under your provider account when keys are present.
The skill reads provider API keys from environment variables to make Anthropic or OpenAI requests, which is expected for this integration but uses the user's provider account authority.
return _e.ANTHROPIC_API_KEY || _e.CLAUDE_API_KEY || null; ... return _e.OPENAI_API_KEY || null;
Use dedicated, limited-scope API keys where possible, monitor provider usage, and unset keys when you want local-only review.
Malicious code comments could reduce review quality, hide issues, or cause malformed AI output.
The reviewed source code is inserted verbatim into the model prompt. If the code contains adversarial comments or strings, the model could potentially treat them as instructions rather than data.
`${codeContent}` ... `Respond with valid JSON only.`Treat AI review results as advisory, and consider adding stronger prompt wording that tells the model to ignore instructions contained inside the reviewed code.