ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

GitHub PR Automation Pro

Automate GitHub pull request workflows including creation, review, merging, and monitoring. Handles PR templates, auto-labeling, CI/CD integration, and revie...

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 88 · 0 current installs · 0 all-time installs
by@dagangtj
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The README/description advertises auto-merge, auto-review, batch operations, analytics, and paid tiers, but the bundle only contains two scripts (create_pr.js and monitor_pr.js) and static templates/rules. SKILL.md references additional scripts (auto_merge.js, batch_review.js) that are not present. The claimed feature set is broader than the provided implementation.
!
Instruction Scope
Runtime instructions and the included scripts invoke the system 'gh' CLI and Git commands. The scripts construct shell commands by interpolating user-supplied values (title, branch, labels) and template contents into a single command string passed to child_process.execSync, which can lead to shell/command-injection if inputs contain special characters. The SKILL.md also instructs using non-existent scripts, which gives the agent broad discretion to try to run things that don't exist.
Install Mechanism
There is no install spec (instruction-only with shipped scripts). That reduces supply-chain risk from downloads. The skill does require the external 'gh' CLI to be present, which is expected for a GitHub integration.
Credentials
The skill declares no required environment variables or credentials, which aligns with using the locally-authenticated 'gh' CLI. However, it will act using whatever GitHub authentication the 'gh' CLI has on the host (personal or machine tokens stored by gh), so it uses existing credentials implicitly — users should be aware it will operate with whatever permissions gh is configured with.
Persistence & Privilege
The skill does not request always:true, does not modify other skills, and has no install steps. It does not request persistent system-level privileges in its metadata.
What to consider before installing
This package is internally inconsistent and has unsafe command construction. Before installing or running it: 1) Do not run these scripts with untrusted inputs; they build shell commands via string concatenation (execSync) and can be exploited if titles/branches/labels/templates contain malicious characters. 2) Review the missing features: SKILL.md references auto_merge.js and batch_review.js which are not included — the advertised capabilities are not implemented. 3) If you want to use it, run it in an isolated environment or container and inspect/modify scripts to avoid execSync with interpolated strings (use child_process.spawn or execFile with argument arrays, or call GitHub via Octokit REST APIs). 4) Confirm what GitHub account 'gh' is authenticated to and its permissions; the scripts will act with that account's privileges. 5) Prefer vetted alternatives (official GitHub Actions, GitHub Apps, or libraries like Octokit) if you need robust auto-merge/approval automation. If you want, provide the missing scripts or an updated implementation and I can re-evaluate.
scripts/create_pr.js:17
Shell command execution detected (child_process).
scripts/monitor_pr.js:12
Shell command execution detected (child_process).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk9796qc0h3gyme8dqgbrtmt8k9834204

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

GitHub PR Automation

Streamline GitHub pull request workflows with intelligent automation for creation, review, and merging.

Features

  • Automated PR creation with templates
  • Smart labeling and assignment
  • CI/CD status monitoring
  • Auto-review and approval workflows
  • Conditional auto-merge
  • Batch PR operations
  • PR analytics and reporting

Quick Start

Create PR with Template

node scripts/create_pr.js --branch feature/new-api --title "Add new API endpoint" --template feature

Monitor PR Status

node scripts/monitor_pr.js --pr 123

Returns CI status, review status, and merge readiness.

Auto-merge Ready PRs

node scripts/auto_merge.js --repo owner/repo --conditions "ci_passed,reviews_approved"

Batch Review PRs

node scripts/batch_review.js --repo owner/repo --label "ready-for-review" --action approve

Configuration

PR automation rules are defined in references/automation_rules.json:

{
  "auto_label": {
    "bug": ["fix", "bugfix"],
    "feature": ["feat", "feature"],
    "docs": ["docs", "documentation"]
  },
  "auto_merge": {
    "enabled": true,
    "conditions": ["ci_passed", "reviews_approved", "no_conflicts"]
  },
  "reviewers": {
    "backend": ["@backend-team"],
    "frontend": ["@frontend-team"]
  }
}

PR Templates

Store templates in references/pr_templates/:

  • feature.md - Feature PRs
  • bugfix.md - Bug fixes
  • hotfix.md - Urgent fixes
  • docs.md - Documentation updates

GitHub CLI Integration

This skill uses gh CLI for GitHub operations. Ensure it's installed and authenticated:

gh auth status

Pricing

  • Free: Basic PR automation, 1 repository, manual triggers
  • Pro ($14.99/month): Unlimited repos, auto-triggers, advanced rules
  • Team ($49.99/month): Multi-team support, custom workflows, analytics

Files

6 total
Select a file
Select a file to preview.

Comments

Loading comments…