QA Reviewer

提供代码审查、单元测试、覆盖率分析和问题追踪，支持C++/Python/JavaScript，确保项目质量和文档完整度。

What to consider before installing/using this skill: - Source and provenance: the skill's Source/Homepage are unknown and the package repo URL in package.json should be verified (may not exist). Be cautious installing skills from unknown maintainers. - Missing referenced script: SKILL.md/README reference generate_report.sh but that file is not present—expect minor documentation drift or a packaging error; verify intended behavior before relying on it. - Test execution risk: run_tests.sh can compile and execute project tests (cmake/make or pytest). If the project contains untrusted code or malicious test runners, executing tests can run arbitrary code on your machine. This is expected for a testing tool but is a security risk when used on unknown repositories. - Recommended mitigations: - Inspect scripts (scripts/*.sh) yourself before running. They are simple and readable here, but still review any changes in future versions. - Run the scripts in an isolated environment (container, VM, sandbox) or on a CI runner with limited privileges when scanning untrusted projects. - Verify the repository URL and maintainer identity; prefer skills from known/trusted publishers. - If you only need static analysis or report generation, consider running code_review.sh only (it mostly greps/finds and writes a markdown report) instead of running compiled tests. - If you want higher assurance: request the maintainer to add the missing generate_report.sh or clarify docs, and provide a signed repository or official homepage.

Type: OpenClaw Skill Name: qa-reviewer Version: 1.0.0 The skill is classified as suspicious due to significant shell injection vulnerabilities in `scripts/code_review.sh` and `scripts/run_tests.sh`. Both scripts directly use the `$PROJECT_PATH` argument in shell commands (`grep`, `find`, `cd`, `cmake`, `make`, `pytest`, `./srm_tests`) without proper sanitization. If an attacker can control the `PROJECT_PATH` input provided to the AI agent, they could inject arbitrary shell commands, leading to Remote Code Execution (RCE). Additionally, `examples/test_case_example.cpp` uses `system(cmd.c_str());` for cleanup, demonstrating a risky pattern that could lead to shell injection if the `testDir_` variable were ever influenced by untrusted input.