by 安全扫描
OpenClaw
可疑
high confidenceNULL
评估建议
This skill appears to do what it says (send Q code to an external service for review), but be aware of two actionable risks before installing:
1) External submission of code and keys: The plugin sends your Q code to an external server (Astrai) for analysis. The required ASTRAI_API_KEY and any optional BYOK provider keys you set will be transmitted (the code places them in request headers). If your code or keys are sensitive, do not use this skill against production secrets unless you trust the ...详细分析 ▾
✓ 用途与能力
Name/description match the implementation: the plugin collects an ASTRAI API key and optional provider keys and sends Q code to an Astrai router for analysis. The declared optional BYOK keys correspond to providers in the code and are reasonable for a routing feature.
⚠ 指令范围
The SKILL.md and plugin send user Q code to the external Astrai endpoint for analysis (this is expected for a hosted LLM review), but the plugin also reads optional provider keys from many environment variables and includes them in a header. SKILL.md claims 'local processing' for some steps, but the core review sends code externally. Additionally the plugin uses an override env var ASTRAI_BASE_URL (defaults to https://as-trai.com/v1) which is not documented in SKILL.md or config.example.toml; that allows redirecting where code and keys are sent.
✓ 安装机制
No install spec or downloads; it's instruction-only plus a single plugin.py file. Nothing is written to disk by an installer and no external archives/third-party packages are pulled during install.
⚠ 凭证需求
The required primary credential (ASTRAI_API_KEY) is proportional to the declared purpose. Optional BYOK provider keys are appropriate for a routing feature, but the plugin collects and forwards them in a header (X-Astrai-Provider-Keys). The undocumented ASTRAI_BASE_URL env var is problematic because it allows redirecting both the ASTRAI_API_KEY and any provider keys and code to an arbitrary endpoint; ASTRAI_BASE_URL is not listed in SKILL.md's Environment Variables table or config.example.toml.
✓ 持久化与权限
The skill does not request always:true, does not modify other skills or system configs, and runs only when invoked. It does not install persistent agents or escalate privileges.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/2/16
NULL
● 可疑
安装命令
点击复制官方npx clawhub@latest install q-kdb-code-review
镜像加速npx clawhub@latest install q-kdb-code-review --registry https://cn.longxiaskill.com