Safety Report

ReviewEvo

Self-improving code reviewer that learns your codebase over time. Analyzes git history, spots patterns, identifies risk — and gets smarter every run.

149Downloads

0Installs

1Stars

2Versions

Git & Version Control784 Education & Learning489 Code Review200

Security Analysis

high confidence

Suspicious0.04 risk

The skill is internally coherent for a git-based code reviewer, but its runtime instructions persist review data into the repo and lack safeguards for secrets and write/commit behavior — this mismatch in risk handling is concerning.

Feb 26, 20261 files3 concerns

Purpose & Capabilityok

The name/description match the actions: it uses git to analyze history and repo files. Required binary (git) is appropriate and there are no unrelated environment variables or external dependencies requested.

Instruction Scopeconcern

The SKILL.md tells the agent to read arbitrary repository files, full git history, and to create/write .review-evo/learnings.md containing findings. There are no explicit controls to avoid reading or persisting secrets or other sensitive content, no guidance to redact or exclude files, and no instruction to avoid committing the learnings file. The skill also instructs to 'collect all data before drawing conclusions', which can cause large-scale reading of repo contents without per-file user confirmation.

Install Mechanismok

Instruction-only; no install step, no downloads, and no third-party packages. This minimizes supply-chain risk.

Credentialsnote

No environment variables or external credentials are requested, which is proportional. However, git output includes author names/timestamps and the instructions explicitly collect contributor and file histories — this is expected but may surface PII within review outputs and persisted learnings.

Persistence & Privilegeconcern

The skill writes a persistent file into the repository (.review-evo/learnings.md) and will create the .review-evo directory. While scope is limited to the repo, persisting findings can accidentally expose secrets or sensitive code analysis if the file is committed or shared. always:false mitigates forced inclusion, but the skill provides no safeguards (redaction, .gitignore advice, or user confirmation) around what gets stored.

Guidance

This skill generally does what it claims (uses git to analyze history and files), but it will read many repository files and write a persistent learnings file back into the repo without guidance to redact secrets or to exclude the file from commits. Before installing or invoking it: (1) run it in a disposable clone or branch to inspect behavior; (2) add .review-evo/ to .gitignore or review and remove sensitive lines from .review-evo/learnings.md before committing; (3) require the skill to ask for confirmation before reading or persisting files outside explicit review targets; and (4) if you need stronger guarantees, request the skill be updated to automatically redact secrets and to show a preview of any content it will write. If you plan to allow autonomous invocation, add the above safeguards first.

Latest Release

v0.1.1

Add high-traffic search tags for better discoverability

More by @8co

OpenTangl

2 stars

Undertow

0 stars

self-improving-agent

@pskoett · 1,456 stars

Gog

@steipete · 672 stars

Tavily Web Search

@arun-8687 · 620 stars

Find Skills

@JimLiuxinghai · 529 stars

Published by @8co on ClawHub