ClawHub

PR Auto-Merge Agent

Security checks across malware telemetry and agentic risk

Overview

This skill openly automates GitHub PR merging, but a promised approval-count safeguard is not actually enforced, making live or scheduled use riskier than users would expect.

Review carefully before installing. Use dry-run only unless you fix or independently enforce approval thresholds, rely on branch protection for required reviews and status checks, avoid unattended live cron merges until safeguards are in place, and use a dedicated least-privilege GitHub token limited to the intended repositories.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The script and skill description claim support for a minimum-approvals threshold, but the code never counts approvals and ignores the min_approvals parameter. In an autonomous merge agent, this can cause PRs to be merged with fewer reviews than policy requires, weakening change-control protections and enabling unsafe or malicious code to land.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The merge decision relies only on GitHub's generic reviewDecision == APPROVED, which does not guarantee the configured threshold requested by the user or advertised by the skill. Because this tool autonomously merges code, that mismatch materially increases the chance of unauthorized or insufficiently reviewed PRs being merged into protected branches.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill promotes scheduled, unattended PR merging using authenticated GitHub credentials, including examples that run with `--no-dry-run`. In this context, the absence of a strong warning or per-run confirmation is dangerous because it enables persistent autonomous modification of repositories; if branch protections, approvals, CI checks, or tokens are misconfigured, bad or malicious code could be merged automatically at scale.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal