Code Review Engine
PassAudited by ClawScan on May 1, 2026.
Overview
This is a coherent instruction-only code review skill, but it may read local or GitHub code and could be used for scheduled reviews if you configure that.
Before installing, consider whether you are comfortable letting the agent read the code, diffs, and GitHub PRs you ask it to review. If you use gh CLI or scheduled reviews, keep the GitHub account, repository scope, and automation settings limited to the intended projects.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may read local code or diffs that could contain proprietary code or secrets.
The skill is expected to inspect local repository state or files to perform code review. This is purpose-aligned, and no destructive or write commands are shown.
Review the staged changes in this repo
Use it only on repositories, files, and diffs you intend the agent to review, and avoid including unrelated sensitive files.
If used with an authenticated GitHub account, the agent may access PRs or repository data available to that account.
Using the GitHub CLI may rely on the user's existing GitHub authentication and repository permissions. That is expected for PR review, but it can expose private repository content to the reviewing agent.
**GitHub & local git integration** — works with `gh` CLI or raw diffs
Confirm the active GitHub account and repository before use, and prefer least-privilege access for automated review workflows.
If scheduled, the skill could repeatedly review new PRs without a separate prompt for each PR.
The README describes possible scheduled, recurring operation. No persistence mechanism or automatic installation is shown, and SKILL.md indicates auto_trigger is false, so this appears to require user configuration.
**Heartbeat/cron ready** — auto-review new PRs on a schedule
Only enable scheduling with explicit repo scope, clear frequency, and review/notification controls.
It is harder to verify the publisher's source history or compare future updates.
The registry metadata does not provide a source repository or homepage for independent provenance review. The skill is instruction-only, which limits install-time supply-chain risk.
Source: unknown; Homepage: none
Install only if you trust the registry publisher, and re-check the skill instructions after updates.