Smart PR Review
ReviewAudited by ClawScan on May 10, 2026.
Overview
This appears to be a legitimate PR-review skill, but it grants broad agent powers and includes webhook code that can automatically post AI review decisions to GitHub using repository credentials.
Use the basic review mode only if you are comfortable with its broad tool access, and deploy the webhook only with a least-privilege bot token, dependency pinning, repo restrictions, prompt-injection safeguards, and cleanup of temporary review files.
Findings (7)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked with these permissions, the agent may have more local authority than needed for reviewing code, including the ability to edit files or delegate work.
A code-review skill needs reading, searching, and git/gh commands, but Edit and Agent are broad mutation/delegation capabilities that are not clearly scoped by the review instructions.
allowed-tools: - Bash - Read - Write - Edit - Grep - Glob - Agent - WebFetch
Limit the skill to the minimum tools needed for review, or explicitly instruct it not to edit source files unless the user asks.
A mistaken or manipulated review could affect merge workflows or publicly post misleading feedback without a human approval step.
The webhook code can post AI-generated review outcomes directly to GitHub PR reviews, including approvals and change requests.
event: "APPROVE" | "REQUEST_CHANGES" | "COMMENT";
...
await this.request("POST", `/repos/${params.owner}/${params.repo}/pulls/${params.pull_number}/reviews`, { body: params.body, event: params.event })Run the webhook in COMMENT/dry-run mode by default, require human confirmation for APPROVE or REQUEST_CHANGES, and restrict it to intended repositories.
A malicious PR could try to steer the AI reviewer into ignoring issues or approving unsafe code.
Untrusted PR descriptions and diffs are inserted into the model prompt as review material. That is necessary for code review, but PR text can contain adversarial instructions.
- **描述**: ${prBody ?? "(无描述)"}
...
## 变更内容 (Diff)
```diff
${diff}
```Add explicit prompt instructions that PR bodies, comments, and code are untrusted data and must never override the review task.
A too-broad token could allow the service to act across more repositories than intended.
The webhook mode requires a GitHub token with repository access. This is expected for posting PR reviews, but it is sensitive account authority.
GITHUB_TOKEN — GitHub API 访问令牌(需要 repo 权限) ... githubToken: process.env.GITHUB_TOKEN ?? ""
Use a dedicated bot or GitHub App with least-privilege permissions and document required credentials in the registry metadata.
Users may install whatever package versions are current at setup time, which can reduce reproducibility and supply-chain assurance.
The optional webhook setup installs unpinned npm packages and runs the TypeScript entrypoint via npx, while no lockfile or install spec is provided in the registry data.
npm install hono @hono/node-server npx tsx index.ts
Pin dependencies, provide a package lockfile or install spec, and review package provenance before running the webhook service.
Review artifacts may remain on disk after the review and could expose sensitive code-review details on shared machines.
Large-review findings may be written to predictable temporary files, which can include private code details or security findings.
每组独立审查,发现的问题写入临时文件(如 `/tmp/review_findings_chunk_N.md`)... 所有组审查完毕后,读取临时文件汇总生成最终报告
Use per-run private temp directories, set restrictive file permissions, and delete temporary findings after the final report is generated.
Private repository diffs and review prompts may be sent to external services depending on deployment.
The webhook mode is designed to integrate GitHub webhooks with an external model provider credential, so private PR content may be processed outside the local agent environment.
export GITHUB_TOKEN="ghp_..." export GITHUB_WEBHOOK_SECRET="your-secret" export ANTHROPIC_API_KEY="sk-ant-..." ... # Webhook integration — Auto-review PRs via GitHub webhooks
Confirm that repository policy allows external AI review, disclose the data flow, and avoid using this mode on code that cannot leave the organization.