java-code-review
Security checks across malware telemetry and agentic risk
Overview
This is a transparent GitLab Java code-review helper, but it can use a GitLab token and create or perform merges after user approval.
This skill appears benign and purpose-aligned. Before using it, provide only a least-privilege GitLab token, verify the project and branch names, read the CR report before approving a merge, and keep generated review reports in a private location.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A GitLab token with broad permissions could allow reading private repositories or changing branches if misused.
The skill requires a GitLab token to call repository APIs. This is expected for the integration, but the token may carry source-code read and merge permissions.
| 认证方式 | PRIVATE-TOKEN 或 Authorization: Bearer | | Token 来源 | TOOLS.md 或用户指定 |
Use a least-privilege GitLab token, avoid shared broad tokens, and provide the token only for the intended GitLab instance and project.
Approving the wrong project or branch merge could change important repository state.
The skill can create merge requests or perform branch merge operations through the GitLab API. The instructions require user confirmation, making this purpose-aligned but still a high-impact action.
**用户确认后**,执行合并 API:
POST /api/v4/projects/{project_id}/merge_requestsReview the generated CR report and confirm the project, source branch, and target branch before allowing any merge or merge-request action.
Stored CR reports may contain project names, branch names, author names, file paths, and security findings from private code.
The skill persists review reports and reuses issue-tracking context in later reviews. This is useful for code review, but it means repository metadata and review findings may be stored locally.
3. **追踪闭环**:记录问题并在后续 CR 中检查修复状态
4. **报告存档**:CR 报告保存到 `task/codereview/{日期}/` 目录Store reports in an appropriate private workspace and delete or archive them according to your team’s retention policy.