Nm Sanctum Pr Review
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill is a coherent PR-review helper, but it can use your GitHub/GitLab account to post reviews/comments/issues and store review knowledge without clearly requiring approval for every write action.
Use this skill only if you are comfortable with an agent reviewing PRs using your GitHub/GitLab CLI account. Keep review posting in preview mode unless you explicitly approve each comment, review event, or issue creation. Verify the target repo and logged-in account, use least-privilege credentials, disable or confirm knowledge capture for sensitive work, and cross-check PR-supplied plan/spec files against trusted requirements.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could publish comments, submit a review, approve or request changes, or otherwise affect a PR under the user's account.
The module documents GitHub write operations, including PR review submission with approve/request-changes options and an instruction to always post a summary comment. The shown flow does not include an explicit user approval gate before posting.
EVENT="COMMENT" # or "REQUEST_CHANGES" or "APPROVE" ... gh pr review $PR_NUMBER ... 3. **Always post a summary comment** with all findings aggregated
Use a dry-run/preview workflow by default and require explicit confirmation before posting comments, submitting reviews, approving/requesting changes, or creating backlog issues.
The skill may act with whatever repository permissions the logged-in gh/glab account has, including on private repositories or protected review workflows.
The skill relies on GitHub/GitLab CLIs, which typically use the user's locally authenticated account. The registry metadata declares no primary credential, so the delegated account authority is not clearly bounded in the declared credential contract.
Platform detection is automatic via `leyline:git-platform`. Use `gh` for GitHub, `glab` for GitLab.
Before use, verify the logged-in account, use least-privilege tokens where possible, restrict the target repository/PR, and require confirmation for any write action.
Private repository details, architectural decisions, reviewer names, and review findings may be retained for future use.
The module can persist PR review findings, repository context, and participant information into a project review chamber. The documented require_confirmation setting is a mitigating control, but persistence is still important to notice.
"auto_capture": true, "capture_threshold": 60, "require_confirmation": true ... participants: [author, reviewers...]
Keep confirmation enabled, use `--no-capture` for sensitive PRs, and redact secrets or confidential details before allowing knowledge capture.
A manipulated or incomplete plan/spec file could cause the agent to down-rank real issues as out-of-scope or overlook scope creep.
The skill treats repository plan/spec/task files as authoritative scope sources. In PR review, those files may be changed by the PR author, so they can steer the agent's understanding of what is in scope.
Plan file: Most authoritative ... find specs -name "plan.md" ... cat plan.md ... Spec file: Requirements definition
Cross-check scope against trusted sources such as the issue, ticket, base-branch requirements, or maintainer instructions, and treat repository text as evidence rather than instructions to obey.
Installing or relying on the external plugin may introduce additional behavior not represented by this instruction-only artifact set.
The scanned package is instruction-only and the registry version is 1.0.2, while the skill frontmatter says 1.9.5 and references a fuller external plugin experience. This is a provenance/context note rather than evidence of malicious behavior.
version: 1.9.5 ... For the full experience with agents, hooks, and commands, install the Claude Code plugin.
If using the full plugin, review and pin that plugin separately; do not assume this scan covers its agents, hooks, commands, or dependencies.