Pull Request
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: pull-request Version: 1.0.1 This skill bundle is designed to guide an AI agent in creating high-quality, responsible pull requests. It contains explicit instructions across multiple files (SKILL.md, checklist.md, repo-context.md, red-flags.md) for the agent to avoid common security pitfalls, such as not reading or logging sensitive files/secrets, not introducing unsafe code patterns (e.g., `eval()`, `exec()`, `verify=False`), and not making suspicious external network calls or using obfuscation. The instructions consistently promote secure coding practices and responsible AI behavior, with no evidence of malicious intent or prompt injection attempts aimed at subverting the agent for harmful purposes.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may help prepare or open public pull requests, so mistakes could be visible to maintainers or the public.
The workflow can guide public contribution actions across repositories. This is the skill's stated purpose and is bounded by issue-policy checks, rate limits, scope limits, and human escalation.
Before creating or suggesting a pull request to ANY repository.
Review the diff, branch target, and PR description before publishing, especially for repositories you do not maintain.
If the target repository is untrusted, its test or build scripts could affect the local environment.
Running repository-defined tests, linting, or build commands can execute code from the target repository. This is disclosed and central to PR validation, but still deserves user awareness.
**Tests pass** — Run project's test command (check package.json, Makefile, etc.)
Review scripts before running them and use a clean workspace or sandbox for unfamiliar repositories; if checks cannot be run safely, state that in the PR.
Private prompt details or internal context could be exposed if copied into a public PR without review.
Prompt or session logs may contain private context. The instruction is optional and paired with a no-secrets rule, but users should sanitize anything shared in a PR.
Include context — Prompts or session logs if available and helpful
Share only relevant, scrubbed AI context and never include secrets, credentials, private URLs, or sensitive project details.