ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

gh-modify-pr

v1.0.1

Modify code based on GitHub PR review comments and create a local commit using gh + git. Use when the user asks to "follow PR comments", "fix review comments...

0· 369·0 current·0 all-time
byDaniel Lin@danie1lin
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description ask for making PR-driven edits; required binaries are gh and git which are exactly what's needed to view PRs, fetch comments, checkout branches, and commit — coherent with the stated purpose.
Instruction Scope
Instructions operate on the local repo and GitHub via gh (view PR, fetch comments, checkout, commit). They do not request unrelated files or external endpoints. NOTE: the workflow will edit files in the agent workspace and commit them locally — this is expected for the task but is an action that will modify user files.
Install Mechanism
Instruction-only skill with no install steps or downloads. Lowest-risk install profile.
Credentials
Requires no declared env vars, which is reasonable, but implicitly depends on local Git/GitHub authentication (SSH keys for git@github.com clone and/or gh authentication or GH_TOKEN). Those credentials live in the environment/tooling but are not explicitly declared — not necessarily malicious, but users should be aware the skill will use existing git/gh auth to access repos.
Persistence & Privilege
always:false (not force-included). The skill will modify local files and can push only with user approval per its rules; it does not request persistent/system-wide privileges or attempt to change other skills' settings.
Assessment
This skill appears to do what it says: it will use the GitHub CLI and git to clone (if needed), check out the PR branch, modify files, and create a local commit. Before installing/using: ensure you trust the agent to modify code in the workspace, keep backups or run in a disposable clone, and verify changes before allowing any push. Note the skill will use your existing GitHub/Git auth (SSH keys or gh login/GH_TOKEN) even though no env vars are declared — confirm those credentials are appropriate for the repo you allow it to access. If you want stricter control, run the workflow in an isolated environment or provide a read-only clone and manually review commits before pushing.

Like a lobster shell, security has layers — review code before you run it.

latestvk9764kdy64cax9jk7a2zxdar9n81vjbv

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binsgh, git

Comments