pr-reviewer
Security checks across malware telemetry and agentic risk
Overview
The skill fits its PR-review purpose, but its script appears to build Python code from PR-controlled file names, which could let a malicious pull request run local code during review.
Review the script before installing or running it on untrusted pull requests. In particular, fix the Python command construction so PR filenames are passed as data, not embedded into executable code. Use least-privilege GitHub credentials, keep generated reports private, and verify the correct script path before running commands.
VirusTotal
64/64 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Reviewing a malicious PR could potentially run unintended Python code on the user's machine.
The script obtains PR file paths from GitHub and later embeds the file-list argument directly into a Python `-c` program. Because PR file names are attacker-controlled in many review scenarios, a crafted file name containing triple quotes could alter the generated Python code and execute locally if this function is reached.
get_pr_files() { ... --jq '.files[].path' ... }
...
files = '''$1'''.strip().split('\n')Do not interpolate PR data into `python3 -c` source code. Pass file lists through stdin, a temporary JSON file, or command arguments and parse them safely inside Python.
The skill can act using the user's GitHub repository permissions, including writing PR comments if the user invokes posting.
The skill relies on the user's authenticated GitHub CLI session and may use write permission when posting PR comments.
Requires `gh` CLI authenticated with repo access... Repository access (read at minimum, write for posting comments)
Use a GitHub account or token with only the repository permissions needed, and review generated comments before posting.
Sensitive code or accidental secrets from PR diffs may be copied into local report files, and potentially into PR comments if posted.
The report captures snippets of added diff lines as finding context. If a PR contains secrets or sensitive code, those snippets can be saved into local markdown reports and may be included in review output.
'context': line[1:].strip()[:120]
Keep report directories private and redact secret values before posting automated review output to GitHub.
Users may try to run a non-existent or different script path, causing confusion or accidental use of an unintended local file if one exists.
The documented command path does not match the included file path `scripts/pr-review.sh`, which is a packaging/documentation inconsistency rather than evidence of hidden execution.
scripts/github/pr-reviewer.sh check
Update the documentation to reference the included script path exactly, or include the referenced script.