pr-reviewer
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill mostly matches a GitHub PR review tool, but the script appears to insert PR-controlled file data into Python code, which could let a crafted PR run code on your machine.
Review and fix the unsafe Python interpolation before using this on untrusted PRs. If you do use it, run it with least-privileged GitHub credentials, verify the correct script path, inspect reports before posting comments, and keep generated report files private.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Reviewing a malicious or unusually crafted PR could execute commands on the reviewer's machine under the user's account.
The script constructs a Python program using shell interpolation instead of passing data safely via stdin, argv, or JSON. Because the skill fetches changed file paths from GitHub PRs for its advertised test-coverage analysis, a crafted filename containing Python string delimiters could break out of this literal and execute local code if this function is reached.
files = '''$1'''.strip().split('\n')Do not construct Python source with untrusted values. Pass PR file lists through stdin, argv, or a temporary JSON file, and encode values with a safe serializer before use.
If used carelessly, the skill could publish incorrect, noisy, or sensitive review comments to a pull request.
The skill can post generated review output back to GitHub when the user runs the post command. That mutation authority is disclosed and purpose-aligned, but it affects a shared repository conversation.
Repository access (read at minimum, write for posting comments)
Run report generation first, review the output, and only use posting with explicit intent and an appropriately scoped GitHub account.
The skill can read PR data and, if the account has write access and post is used, write comments as the authenticated GitHub user.
The skill uses the local GitHub CLI session rather than a declared environment variable credential. This is expected for a GitHub PR reviewer, but it means the skill operates with whatever repository permissions gh currently has.
Requires `gh` CLI authenticated with repo access.
Use the least-privileged GitHub authentication available, preferably limited to the intended repository and avoiding broad personal access tokens.
A user may be confused or may execute a different local script than the one reviewed here.
The SKILL.md examples reference scripts/github/pr-reviewer.sh, while the supplied manifest/code file is scripts/pr-review.sh. This appears to be a packaging or documentation mismatch rather than hidden behavior, but it can cause users or agents to run the wrong file if another script exists at the documented path.
scripts/github/pr-reviewer.sh check
Fix the documented command path to match the packaged script, and verify the exact script path before running it.
Generated report files may retain sensitive code or secret-like snippets on disk.
The skill persistently writes review reports that may contain private PR metadata, lint output, and snippets of changed code, including secret-looking lines flagged by its checks. This is disclosed and purpose-aligned, but users should treat the reports as repository data.
Reports are saved as markdown files in the output directory. Each report includes ... Automated diff findings with file, line, category, and context
Store reports in a private directory, avoid sharing them broadly, and consider redacting secret values before posting or archiving reports.