ClawHub
Back to skill
v1.0.0

Clean Code

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 5:32 AM.

Analysis

This is a benign clean-code guidance skill with no code or credential access, though users should review broad refactors and trust the install source.

GuidanceThis skill appears safe as a code-style and refactoring guide. Before installing, make sure you trust the source of any npx command you run. When using it for refactoring, keep your project under version control and review the agent's proposed changes, especially if it updates dependent files.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Cascading Failures
SeverityLowConfidenceHighStatusNote
templates/platforms/cursorrules.md
- Edit the file AND all dependent files in the same task
- Never leave broken imports or missing updates

The skill tells a coding agent to update dependent files, so a refactor may touch more than the initially requested file. This is aligned with safe refactoring, but it increases the blast radius if the agent makes an incorrect change.

User impactA cleanup or refactor request could result in changes across multiple project files, not just the file the user first mentioned.
RecommendationUse version control and ask the agent to show a plan and diff before applying broad refactors.
Agentic Supply Chain Vulnerabilities
SeverityInfoConfidenceHighStatusNote
README.md
npx add https://github.com/wpank/ai/tree/main/skills/testing/clean-code
...
npx clawhub@latest install clean-code-review

The installation documentation includes user-run commands that fetch/install from external sources, including an unpinned GitHub branch path and a latest-tag package invocation. The artifacts do not show automatic execution, but users should trust the source before running these commands.

User impactIf a user manually runs these install commands, they rely on the external package/source being trustworthy at that time.
RecommendationInstall through the trusted registry path when possible, and verify the source or pin a known version before running npx-based installation commands.