Release Feature Watcher
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill appears to do what it says—watch technical releases and notify when ready—but users should explicitly approve any scheduled or self-removing watcher.
This skill is reasonable for monitoring technical releases. Before installing or using it, confirm that any watcher has a specific condition, trusted source, check interval, expiry date, and cleanup plan, especially if it will be added to cron or another scheduler.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A watcher may keep running in the background until the condition is met or it expires.
The skill is designed to create ongoing automated watchers and clean them up later. That persistence is purpose-aligned, but it affects user control if a scheduled job is created without clear approval.
A watcher is an automated readiness check... remove itself after success when appropriate.
Only create scheduled watchers after the user confirms the source, condition, frequency, expiry, and cleanup rule.
Running the helper contacts GitHub to check PR and release status.
The helper script performs GitHub API calls using values from a config file. This is expected for a release watcher and does not show hidden endpoints or credential use.
req = urllib.request.Request(f"https://api.github.com{path}", headers=headers)Use trusted watcher configs and verify the repository and PR number before scheduling repeated checks.
Users have less external provenance information to verify the publisher or source repository.
The registry metadata provides limited provenance for a skill that includes a runnable helper script, although the included script is small and static scan results were clean.
Source: unknown; Homepage: none
Review the bundled script before use and prefer installing from a trusted publisher or source when available.