← Back to Skills Marketplace
81
Downloads
0
Stars
0
Active Installs
2
Versions
Install in OpenClaw
/install perfguard
Description
Performance anti-pattern scanner — finds N+1 queries, sync I/O, missing pagination, and memory leaks before they hit production
Usage Guidance
PerfGuard appears to implement a local, grep-based performance scanner and an optional git pre-commit hook installer; this is coherent with its description. Before installing:
- Decide whether you want a tool that can modify your repository's lefthook.yml and run code on staged files (hooks installation appends or copies config and runs lefthook install). Review the config/lefthook.yml and how the hook sources the skill scripts to ensure it points to the intended skill installation path.
- Understand license behavior: PERFGUARD_LICENSE_KEY unlocks Pro/Team features and is the declared primary credential. The offline JWT verification does not cryptographically verify tokens unless CLAWHUB_JWT_SECRET is set (an undeclared env var). That means, without the secret, the scripts perform only structural checks on the token; this weakens license enforcement and could allow local bypass of paid checks. If you rely on the signature check, set CLAWHUB_JWT_SECRET in a secure location.
- The skill may use optional local tools if present (node, openssl); those are not declared as required. Ensure your environment's node/openssl behavior is acceptable.
- The tool claims 'zero telemetry' and 'no external uploads' — the code is local and contains no outgoing network calls, but always inspect any hooks you install and the skill path to be sure you're sourcing the expected scripts.
If these caveats are acceptable and you trust the skill source/homepage, the tool is functionally coherent; if you need stronger license guarantees or want to avoid repo modifications, proceed cautiously or request changes (declare CLAWHUB_JWT_SECRET, make signature verification mandatory, or require explicit consent before modifying lefthook.yml).
Capability Analysis
Type: OpenClaw Skill
Name: perfguard
Version: 1.0.2
The skill contains a critical command injection vulnerability in `scripts/license.sh`. The `extract_field` and `decode_jwt_payload` functions interpolate decoded JWT payload data (user-controlled via the license key) directly into `python3 -c` and `node -e` execution strings without sanitization, allowing for arbitrary code execution via a crafted license key. Additionally, the `show_trend` command in `scripts/analyzer.sh` performs automated `git checkout` operations on historical commits, which is an invasive operation that could trigger unexpected side effects or git hooks in certain repository environments.
Capability Tags
Capability Assessment
Purpose & Capability
The name/description match the code: the scripts implement a local, regex-based performance scanner for multiple languages and include commands for scanning, reports, hotspots and git hooks. Required binaries (git, bash, python3, jq) are reasonable for the stated features (git for repo operations/hooks, python3/jq as JSON helpers). The brew install (lefthook) aligns with the hooks feature.
Instruction Scope
Runtime instructions and scripts operate locally and consistently with the description (they find files, run grep-based patterns, calculate scores). The skill reads ~/.openclaw/openclaw.json for a stored license/key (declared in metadata). The hooks installation logic will source the skill's scripts from a skill directory and run a hook-scanner on staged files — that is expected but means the skill's scripts will be run automatically on commits once hooks are installed.
Install Mechanism
Install spec uses 'brew' to install lefthook, a known git-hooks manager. The code files themselves are instruction-based shell scripts (no external downloads in the install spec), which keeps the install surface small.
Credentials
Primary credential PERFGUARD_LICENSE_KEY is declared and used for Pro/Team features — that's appropriate. However, license.sh also optionally reads CLAWHUB_JWT_SECRET (used to verify JWT signatures) and will try node/openssl if present; CLAWHUB_JWT_SECRET is not declared in requires.env. The script will accept a license token without cryptographic verification if CLAWHUB_JWT_SECRET is not set (it only enforces structural integrity and a non-empty signature segment), which weakens offline license checks and could be abused to unlock paid features locally. The scripts read ~/.openclaw/openclaw.json (declared), but they may also invoke optional tools (node, openssl) that aren't listed as required.
Persistence & Privilege
always:false and model invocation is allowed (default); the skill does not request system-wide persistent privileges. Installing hooks will modify or append to the project's lefthook.yml and run lefthook install — this modifies repo state (expected for a hooks installer) and could affect commit workflows. The hooks attempt to source the skill scripts from a path (default $HOME/.openclaw/skills/perfguard); if that path is changed, hooks may fail or skip scanning.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install perfguard - After installation, invoke the skill by name or use
/perfguard - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.2
Fix: POSIX ERE regex compliance, declare all deps, JWT verification
v1.0.0
Initial release of PerfGuard: a performance anti-pattern scanner for codebases.
- Scans for 40+ performance issues in Python, JS/TS, Ruby, and Java projects using local regex-based analysis.
- Supports free and paid tiers: free tier limits scanning to 5 files; paid tiers unlock unlimited scans, advanced checks, and detailed remediation.
- Provides CLI commands for one-shot scans, markdown reports, git pre-commit hook integration, hotspot analysis, performance budgets, and trend tracking over git history.
- Detects issues like N+1 queries, sync I/O, unbounded queries, missing pagination, memory leaks, and more.
- No code leaves your machine; all checks run locally.
Metadata
Frequently Asked Questions
What is perfguard?
Performance anti-pattern scanner — finds N+1 queries, sync I/O, missing pagination, and memory leaks before they hit production. It is an AI Agent Skill for Claude Code / OpenClaw, with 81 downloads so far.
How do I install perfguard?
Run "/install perfguard" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is perfguard free?
Yes, perfguard is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does perfguard support?
perfguard is cross-platform and runs anywhere OpenClaw / Claude Code is available (darwin, linux, win32).
Who created perfguard?
It is built and maintained by suhteevah (@suhteevah); the current version is v1.0.2.
More Skills