ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Code Refactor

v0.1.0

Analyze code quality issues, detect code smells, and automatically apply refactoring suggestions with preview, apply, and rollback support.

0· 39·0 current·0 all-time
by@yuyonghao-123
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the included code: analyzer, refactorer, applier, and validator. The files implement analysis, plan generation, dry-run/apply/rollback, and test validation — all expected for a refactoring tool. There are no unrelated environment variables, binaries, or config paths.
Instruction Scope
SKILL.md instructs local analysis/refactor/apply commands that align with the code. The validator runs 'npm test' via child_process; this is expected for test validation but means the skill will execute repository test scripts (arbitrary code in the project). The applier writes edits to files and creates backups. Review diffs and backups before applying changes.
Install Mechanism
No install spec is provided (instruction-only install), so nothing is downloaded or executed at install time. The skill bundles Node source files; execution uses local Node runtime. package.json declares engines >=18 but no external package installs are performed by the skill itself.
Credentials
The skill requests no environment variables, credentials, or unrelated config paths. It accesses only local files (fs) and runs local commands — appropriate for a code refactoring tool.
Persistence & Privilege
The skill does not request always:true and does not alter other skills. However, it can modify repository files (writes, backups, rollbacks) and execute 'npm test' in the working directory. Those capabilities are legitimate for refactoring but grant file-modification and code-execution privileges within the repo.
Assessment
This skill appears to do what it claims: analyze and propose/apply refactorings locally. Main cautions: 1) The validator runs 'npm test' (child_process) in the repository — that will execute whatever scripts are defined in package.json, which could run arbitrary code. 2) The applier writes changes to files and creates .backup files; although a rollback is provided, always inspect the generated diff before applying. Recommendations: run the skill in dry-run mode first, review the generated plan and diffs, run it on a copy/branch or in a sandbox, verify package.json test scripts before allowing non-dry-run operations, and keep version control so you can revert if needed.
src/validator.js:131
Shell command execution detected (child_process).
src/validator.js:99
Dynamic code execution detected.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk973qrgx7f8545z16ggh08g3c183zw1p

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments