Back to skill
Skillv1.0.0
ClawScan security
Code Review Assistant Zhuyu28 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 6, 2026, 12:18 PM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code and runtime instructions are coherent with a code-review assistant: it analyzes local files, asks for no credentials, has no install steps, and contains no obvious exfiltration or privileged behavior.
- Guidance
- This skill appears internally consistent and low-risk: it analyzes files you provide and asks for no credentials or installs. Before installing, note that the source/homepage is unknown (no external provenance), so only feed it code you are comfortable sharing with the skill. Do not pass secrets or private keys as sample files. Also be aware the bundled script imports subprocess (unused in current code) — while harmless as-is, unused imports could be leveraged if the code is later modified; if you plan to enable autonomous invocation, prefer skills from known publishers or review the source yourself first.
Review Dimensions
- Purpose & Capability
- okName and description match the provided code and guidelines. The included script performs static checks on files (Python/JS) and the guidelines file documents expected review rules — nothing requested (env, binaries, installs) is disproportionate to a code-review tool.
- Instruction Scope
- okSKILL.md instructs the assistant to analyze provided code/files and to review included source. The runtime instructions do not ask the agent to read unrelated system files, environment variables, or send data to external endpoints.
- Install Mechanism
- okNo install spec is present (instruction-only plus a small local script). This is low-risk: nothing is downloaded or written to disk by an installer.
- Credentials
- okThe skill requires no environment variables, credentials, or config paths. The script reads only files you explicitly pass to it and does not read environment variables or other system-wide credentials.
- Persistence & Privilege
- okalways is false and the skill does not claim persistent/system-level presence or modify other skills. Autonomous invocation (disable-model-invocation=false) is the platform default and not by itself a concern here.