ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Create Pr. Skip

v1.0.0

create a pull request with standardized description template

0· 35·0 current·0 all-time
byKevin Anderson@anderskev
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description align with the instructions: the SKILL.md describes gathering git context and using the GitHub CLI (gh) to create and label PRs. However, the skill metadata declares no required binaries or credentials even though the instructions rely on git and gh and on an authenticated GitHub session.
Instruction Scope
The runtime instructions stay within the stated purpose: they run git commands to gather diffs/commits, infer change categories, and use gh to create/edit PRs and labels. There are no instructions to read unrelated system files, external endpoints, or to exfiltrate data.
Install Mechanism
This is an instruction-only skill with no install spec or code files, so nothing will be written to disk or downloaded during install. That minimizes install risk.
!
Credentials
The SKILL.md requires git and the GitHub CLI (gh) and implicitly requires GitHub authentication (gh auth or GITHUB_TOKEN) to create/edit PRs, but the registry metadata lists no required binaries or environment/credential variables. The omission is disproportionate and can mislead users about necessary credentials and tooling.
Persistence & Privilege
always is false and disable-model-invocation is true, so the skill will not run autonomously and does not request permanent high privilege. The skill does not modify other skills or system-wide settings.
What to consider before installing
This skill appears to do what it says (prepare a PR description and call the GitHub CLI), but the metadata omits important prerequisites. Before installing/using it: ensure you have git and the GitHub CLI (gh) installed and authenticated (gh auth login or a GITHUB_TOKEN), and run it only from the intended repository/branch because the instructions run git commands and create an actual PR. Because disable-model-invocation is true, the skill cannot run on its own, but you should still verify templates and the final PR body before submitting. If you plan to publish or automate this skill, ask the author to declare required binaries and the authentication requirement in the metadata so users know what credentials and tooling are needed.

Like a lobster shell, security has layers — review code before you run it.

latestvk9755ea0111khr9nf4ery5p24x84q2yq

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments