Back to skill
Skillv1.0.1
ClawScan security
MergeIQ: Automatically Score & Prioritise PR Complexity for GitLab and GitHub · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 9, 2026, 5:58 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, runtime instructions, and requirements are consistent with a local PR/MR complexity scorer that operates on API JSON — nothing in the bundle requests unrelated credentials, hidden endpoints, or unexpected install steps.
- Guidance
- This package is coherent with its stated purpose (local scoring of PR/MR JSON). Before installing or running: (1) verify the source/author if you need provenance (package lists an email but no homepage/source repo), (2) run the code locally against sanitized PR JSON first (no network calls are made by the code itself), (3) when fetching live PR/MR JSON use your provider tokens in your curl/HTTP client and avoid pasting tokens into unknown environments, and (4) if you plan to run in CI or share results, review the code for any logging or storage you want to customize (it currently uses only stdlib and prints JSON to stdout).
Review Dimensions
- Purpose & Capability
- okName/description match the contained code: adapters map GitHub/GitLab API JSON to a canonical MRData and mr_complexity_service.py computes a 4-dimension complexity score. The files present (adapters, calculator, CLI) are exactly what a PR/MR scoring tool needs; no unrelated binaries, services, or credentials are requested.
- Instruction Scope
- noteSKILL.md and score_mr.py instruct the user to pipe in GitHub/GitLab API JSON (examples show using curl with GITHUB_TOKEN/GITLAB_TOKEN). That's expected for this skill, but the README examples assume the user fetches data (and supplies tokens) outside the skill — the skill itself does not reach out to APIs. There are no instructions to read arbitrary system files or exfiltrate data.
- Install Mechanism
- okNo install spec is provided (instruction-only for platform integration), and included Python code declares no external packages (requirements.txt states stdlib-only). There are no downloads, remote installers, or archive extracts — minimal installation risk.
- Credentials
- noteThe skill bundle does not declare or require environment variables. Example usage in SKILL.md shows using GITHUB_TOKEN/GITLAB_TOKEN when calling provider APIs externally; this is appropriate and proportional for fetching PR/MR data but the skill itself does not demand or store any credentials.
- Persistence & Privilege
- okSkill flags are default (always: false, user-invocable: true, model invocation enabled). The package does not alter other skills or system configs and does not request persistent presence or elevated privileges.