Sovereign code-review-helper

Generates file-type-specific code review checklists covering security, performance, style, and testing best practices for pull requests.

This skill appears to do what it claims (scan git diffs and emit review checklists), but a substantial executable script is bundled and the registry/source provenance is unclear. Before installing or running: (1) Inspect the full scripts/review.sh file for any network calls (curl, wget, nc, openssl to unknown hosts), hardcoded endpoints, or obfuscated/encoded payloads; (2) Confirm the homepage/repository links in skill.json point to a legitimate project and check the repository history; (3) Run it first in a disposable environment or container and without network access if you want to limit risk; (4) If you plan to use the --pr option, be aware it may fetch remote refs and perform network operations — verify what it fetches; (5) If you are not comfortable reviewing the full script, treat this skill as untrusted and avoid running it on sensitive repositories. Additional information that would raise confidence: an authoritative repository/maintainer, signed releases, or a short human-readable changelog explaining the script's behavior.

Type: OpenClaw Skill Name: sovereign-code-review-helper Version: 1.0.0 The skill is classified as suspicious due to a critical shell injection vulnerability in `scripts/review.sh`. The `--files` argument, which accepts a glob pattern, is directly used in `grep -E "$FILE_PATTERN"` without proper sanitization. This allows an attacker to inject arbitrary shell commands by crafting a malicious `FILE_PATTERN` value, leading to potential Remote Code Execution (RCE).