ClawAudit verdict
yuyonghao-code-refactor
The skill analyzes code quality issues and applies refactoring suggestions. Although it uses Node.js and has an executionSinkDetected flag raised, the content seems to be legitimate and used for its stated purpose.
⚠ Flagged for review — coarse, uncorroborated signal, not a confirmed exploit. Review the config yourself before installing.
Automated static analysis — not a human review. ClawAudit flags capabilities, not confirmed intent, and can produce false positives. Disagree with this verdict? Use Dispute below.
Findings (4)
Dynamic Function constructor — equivalent to eval()
src/validator.js · prose · downgraded · new Function(
Uses exec() — may execute shell commands
src/analyzer.js · prose · downgraded · exec(
References child_process — can spawn system processes
src/validator.js · prose · downgraded · child_process
Popular HTTP library — network access
test/refactor.test.js · prose · downgraded · got
Why the tier is capped
Execution sink present in raw bytes (Hard Floor: class D). Final tier capped at Caution — cannot be lifted by any downgrade, example-payload opt-in, or allowlist.
Permissions & capabilities
No declared permissions — minimal attack surface.
Is this flag fair?
Thanks — recorded.