ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Br Risk Analyzer

v1.0.0

根据需求文档分析风险,分析代码漏洞。analyzes code changes between commits against requirement documents to identify and prioritize risk points.

0· 44·0 current·0 all-time
by@zhijialin
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (requirement-driven risk analysis) aligns with the instructions: locate code by semantic search, compare to requirements, classify risks, and persist findings. Nothing requested (no env vars, no installs) is out of scope for a code-review skill.
Instruction Scope
SKILL.md explicitly instructs the agent to read repository files, perform semantic search/grep, map data/control flow, and produce evidence-linked findings. This is appropriate for the stated purpose, but the instructions do not explicitly constrain scope beyond user-provided 'Scope' inputs (e.g., they could read any files in repo). The skill also instructs writing analysis to resources/project-understanding.md in the repository.
Install Mechanism
Instruction-only skill with no install spec and no code files to execute; lowest install risk. package.json and docs are present but there is no installer or downloadable artifact.
Credentials
No environment variables, credentials, or config paths are requested. The declared needs (repository access and requirement documents) are proportionate to the stated task.
Persistence & Privilege
The skill persists analysis to resources/project-understanding.md (documented). It does not force permanent inclusion (always: false). Because it writes into the project, users should be aware it can modify repository files when invoked.
Assessment
This skill is coherent for requirement-driven code review, but review the following before enabling it: 1) Limit the code scope you provide—run it against a clone or a restricted-to-review branch so it cannot access unrelated files. 2) Be aware it will write analysis to resources/project-understanding.md; make sure that file location is acceptable (or change it to a sandbox). 3) Do not grant the agent elevated system or external network permissions you wouldn't grant a human reviewer. 4) If you want to avoid any write operations, run the skill in a read-only environment or require manual approval before saving outputs. Overall this skill appears to do what it claims and does not request disproportionate access.

Like a lobster shell, security has layers — review code before you run it.

latestvk971zrfpnv2yjrbng7sek8kcxn83zxhd

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments