GitHub PR Manager
AdvisoryAudited by Static analysis on May 8, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used on the wrong repository, PR, or branch, the agent could approve or merge code, change labels, or push conflict-resolution changes that affect collaborators.
These documented commands can change repository state, publish reviews, merge code, enable auto-merge, or rewrite/update branches. They are aligned with PR management, but they are high-impact operations.
gh pr review <number> --approve --body "LGTM" ... gh pr merge <number> --squash gh pr merge <number> --auto ... git push --force-with-lease
Require explicit user confirmation for approvals, merges, auto-merge, label setup, and any force-with-lease push; verify the repo, PR number, branch, and CI status first.
The skill can act as the currently authenticated GitHub user, including creating PRs and performing review or merge actions where that account has permission.
The skill relies on the user's existing authenticated GitHub CLI session, so actions run with that account's repository permissions.
`gh` CLI installed and authenticated (`gh auth status`)
Use a GitHub account/token with the minimum repository permissions needed, and confirm the active gh account before running mutating commands.
Users may not realize before installation that the skill depends on local command-line tools and an authenticated GitHub session.
The metadata under-declares runtime expectations: the SKILL.md requires authenticated gh CLI access, and the included scripts also depend on gh, git, python3, and bash.
Required binaries (all must exist): none ... Primary credential: none
Declare gh/git/python3/bash and GitHub authentication in metadata; users should verify the included scripts before use.