ClawHub

Code Review Bot

v0.1.0

Analyze GitHub pull requests, summarize risk, and draft a reviewer checklist using the gh CLI.

0· 82·0 current·0 all-time
byMehul Bhojraj Upase@mehulupase01
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description, required binaries (python + gh), and the included script all align with the stated goal of analyzing GitHub PRs. The declared primary credential (GITHUB_TOKEN) is appropriate for GitHub API access.
Instruction Scope
SKILL.md instructs only to run gh pr view, gh pr checks, and the local Python script. It explicitly forbids merging or executing repository code and treats PR content as untrusted. The instructions do not read unrelated system files or transmit data to unexpected endpoints.
Install Mechanism
There is no install spec (instruction-only), and the included Python script is run locally from the package — no remote downloads or package installs are performed by the skill itself.
Credentials
Requesting a GITHUB_TOKEN as the primary credential is proportionate to the task. Minor metadata inconsistency: registry metadata listed 'Required env vars: none' while SKILL.md and primaryEnv declare GITHUB_TOKEN. No other secrets or unrelated env vars are requested.
Persistence & Privilege
always is false and the skill does not request persistent system changes or modify other skills. The normal autonomous invocation flag is set to allow normal operation; that is expected and not excessive by itself.
Assessment
This skill appears to do exactly what it says, but take the usual precautions before enabling it: 1) Provide a GITHUB_TOKEN with the least privilege necessary (prefer read-only repo scopes where possible; avoid org-admin tokens). 2) Ensure your gh CLI is configured for the correct account and that the token is not shared across unrelated systems. 3) Review the bundled scripts (scripts/review_helper.py) yourself — they only read GH JSON and print a markdown summary, but you should verify no modifications or network calls are added. 4) Run the included unit test or run the script locally against fixture files first to confirm behavior. 5) If you permit autonomous agent invocation, limit the agent's ability to run write operations (approve/merge) with separate safeguards because the skill's instructions rely on gh and an over-privileged token could be misused elsewhere.

Like a lobster shell, security has layers — review code before you run it.

latestvk973we4k3bejy2qbmpn1rp8ebx83fh7d

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binspython
Any bingh
Primary envGITHUB_TOKEN

Comments