Code Refactor

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This skill is purpose-aligned for code refactoring, but users should notice that apply/validation modes can edit files and run local test commands.

Install only if you are comfortable with a refactoring tool that can modify local source files and run project tests. Start with dry-run previews, review changes before applying, and use it in a version-controlled, trusted project.

Static analysis

Dangerous exec

Critical

Finding: Shell command execution detected (child_process).

Dynamic code execution

Critical

Finding: Dynamic code execution detected.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#ASI02: Tool Misuse and Exploitation

Medium

What this means

If applied to the wrong file or if the refactoring is incorrect, project code can be changed or broken.

Why it was flagged

Apply mode can directly modify the selected source file as part of refactoring. The code also creates backups by default, so this is expected but high-impact local mutation.

Skill content

fs.writeFileSync(filePath, updatedCode);

Recommendation

Use dry-run first, review the generated changes, keep the project under version control, and apply only to intended files.

#ASI05: Unexpected Code Execution

Medium

What this means

Validation may run project scripts with the user's local permissions.

Why it was flagged

The validation step executes a shell command, defaulting to npm test, in the project directory. Running tests is purpose-aligned, but npm scripts and custom testCommand values can execute arbitrary local commands.

Skill content

const output = execSync(this.options.testCommand, {

Recommendation

Run validation only in trusted repositories, review any configured testCommand and cwd, and prefer dry-run mode before applying changes.

#ASI05: Unexpected Code Execution

Low

What this means

The syntax check handles file content as JavaScript code and may behave differently from a real parser, especially for modules.

Why it was flagged

The syntax checker dynamically compiles the selected file content. The function is not called, so this appears to be a syntax-validation shortcut rather than hidden execution.

Skill content

new Function(code);

Recommendation

Prefer a dedicated JavaScript parser for syntax validation, and analyze only intended source files.