gh-modify-pr
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: gh-modify-pr Version: 1.0.1 The skill is suspicious due to potential Remote Code Execution (RCE) vulnerabilities. Specifically, the instruction to `git clone git@github.com:<owner>/<repo>.git` derives the repository URL from user input (PR URL). If a malicious user provides a crafted PR URL pointing to a repository with malicious Git hooks (e.g., `post-checkout`), arbitrary code could be executed on the agent's system. Additionally, the instruction to 'Validate changed files quickly (lint/test only if needed or requested)' could lead to arbitrary command execution if the agent is prompted to run user-controlled lint/test commands. These are significant vulnerabilities, though not indicative of intentional malice by the skill developer.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may make lasting local code changes and create a commit; remote changes should only happen if you approve a push.
The skill instructs the agent to modify tracked code and create a local commit, with remote push gated on user approval. This is expected for the stated purpose, but users should notice that it can change their working tree and repository history.
`git add <files>` - `git commit -m "<clear message>"` 11. Push only if user asks/approves: - `git push`
Review the diff and commit before approving any push, especially on shared or protected branches.
The skill can access repositories and PR comments available to your configured GitHub credentials.
The workflow relies on the user's GitHub CLI and SSH/git authentication to read PR data and clone repositories. This is purpose-aligned, but it uses the user's existing account privileges.
`gh api repos/<owner>/<repo>/pulls/<number>/comments` ... `git clone git@github.com:<owner>/<repo>.git`
Use it only with a GitHub account and SSH credentials that have the repository access you intend, and avoid running it in repositories where the agent should not make edits.