Fetch Pr Feedback
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill appears to do what it claims: it reads PR review comments with GitHub CLI and passes them to a feedback-processing skill, but users should notice the GitHub account and CLI dependencies it relies on.
Before installing, make sure GitHub CLI is logged into the correct account and that jq and beagle-core:receive-feedback are trusted and available. The visible instructions are read-only and scoped to a selected/current PR, but they may expose private review comments to the agent for analysis.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent will use local command-line tools to contact GitHub and read comments for the selected PR.
The skill instructs the agent to run GitHub CLI commands to fetch PR comments. This is purpose-aligned and read-oriented, but it is still local tool/API use.
gh api --paginate "repos/$OWNER/$REPO/issues/$PR_NUMBER/comments"
Run it only from the intended repository, verify the target PR number, and review any command prompts before allowing execution.
The skill operates with whatever GitHub repository access your local gh login already has.
The skill uses the currently authenticated GitHub CLI identity. That account access is expected for PR-comment retrieval, but it is not declared as a registry credential requirement.
gh api user --jq '.login'
Confirm gh is logged in as the intended GitHub user and that you are comfortable letting the agent read PR comments visible to that account.
Behavior depends partly on the separate receive-feedback skill and on local tools that are not packaged here.
The skill depends on a separate skill that is named in the instructions but not included in this artifact set. This is disclosed and aligned with the stated purpose, but users should trust that dependency.
Use the Skill tool to load the receive-feedback skill: `Skill(skill: "beagle-core:receive-feedback")`
Ensure beagle-core:receive-feedback, gh, and jq are installed from trusted sources; metadata should ideally declare these runtime dependencies.
A misleading or prompt-like PR comment could influence the feedback evaluation if treated as instructions rather than data.
PR comments are retrieved external context that will be processed by another skill. The artifact includes noise stripping, but reviewer text can still be untrusted input.
Fetch review comments from all reviewers on the current PR, format them, and evaluate using the receive-feedback skill.
Treat fetched review comments as untrusted input, and review the resulting feedback before acting on it.