Pro Code Reviewer
PassAudited by ClawScan on May 8, 2026.
Overview
This is a coherent code-review helper that reads local git diffs and can optionally render a local HTML report; no artifact shows hidden exfiltration or destructive behavior.
This skill appears safe for its intended use: reviewing code changes in a git repository. Before installing or invoking it, be aware that it will inspect local source code and may run git commands; only use it in repositories you intend the agent to read, and request HTML reports only when you want a local file generated.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may inspect repository history, diffs, and matching source files in the current project.
The skill directs the agent to run local git commands with user-selected refs and to search the repository. This is central to code review, but it is still local command/tool use.
"review <sha>" ... `git show <sha>`; "review branch <name>" ... `git diff main...<name>`; `git grep "<function_name>"`
Run it only in the intended repository, keep review scopes specific, and confirm unusual branch names, commit ranges, or very large diffs before proceeding.
If an HTML report is requested, the agent may run the included Python renderer and write a local report file.
The package includes a Python helper intended to render review JSON into an HTML file. This is optional and purpose-aligned, but it is executable local code.
Usage:
python3 render_report.py <input.json> <output.html>Use the default chat/terminal report unless you want an HTML file, and review generated report paths before opening or sharing them.
Users cannot easily compare the submitted package to an upstream project or maintainer repository.
The registry metadata does not provide an upstream source or homepage for independent verification. The submitted artifacts themselves are coherent, but provenance is limited.
Source: unknown Homepage: none
Treat the packaged artifacts as the review basis, and prefer installing from a trusted publisher or verified repository when available.
Private source code, comments, and nearby implementation details may be processed by the agent during review.
The review workflow intentionally brings local source code and surrounding context into the agent's working context. This is expected for code review, but it may include private or sensitive project content.
For each changed file ... Read the full function/method surrounding each change ... search for callers: `git grep "<function_name>"`
Avoid running it on repositories containing secrets or highly sensitive code unless your agent environment is approved for that data.