Back to skill
Skillv1.0.2
ClawScan security
GitHub PR Writer · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 6, 2026, 2:12 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This instruction-only skill is internally consistent with its purpose (writing PR descriptions); it only references local git diffs and a bundled PR template and does not request unrelated credentials or install arbitrary code.
- Guidance
- This skill is an instruction-only helper that reads your repository history (git diff/log) and formats a PR body using the included template. It does not request credentials or install code. Before using it, confirm your agent will not perform push/merge operations automatically (the README says “Never merge”), and verify whether the agent will actually call the GitHub CLI (gh) in your environment — if so, ensure your GitHub credentials are stored and managed appropriately. If you want to be extra cautious, run the suggested git commands yourself and paste the diff/context into the tool rather than granting the agent direct repo access.
Review Dimensions
- Purpose & Capability
- noteSkill name/description (generate PR descriptions) aligns with the instructions (run git diff/log to gather context and fill a template). Minor note: metadata declares the gh CLI as required, but the SKILL.md only shows git commands — gh is plausible for PR workflows but is not actually invoked in the provided instructions.
- Instruction Scope
- okRuntime instructions are limited to reading git diffs and commit logs in the repo and filling sections of the included PR template. There are no instructions to read unrelated system files, export data, contact external endpoints, or access environment secrets.
- Install Mechanism
- okNo install spec and no code files — instruction-only. Nothing is downloaded or written to disk by the skill itself.
- Credentials
- okThe skill declares no required environment variables or credentials. The operations it recommends (git diff, git log) do not require secrets. If a user chooses to use gh later, that would need GitHub auth, but the skill does not request it.
- Persistence & Privilege
- okSkill is not always-enabled and is user-invocable; it does not request persistent system presence or modify other skills or system-wide settings.