Review Pr
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could post an AI-generated review to a Gitee PR under the configured account, which may be visible to collaborators or the public and could affect a development workflow.
This instructs the agent to publish a remote PR comment as the default workflow, but the artifact does not require an explicit user confirmation or preview before posting.
### Step 6: Post Review Comment Use `comment_pull` to post the review to the PR.
Change the workflow to draft the review in chat first, verify the exact repository and PR number, and only call `comment_pull` after the user explicitly approves posting.
PR reads and comments will use the permissions and identity configured in the Gitee MCP server.
The skill relies on a configured Gitee MCP server, which likely acts with the user's or workspace's Gitee permissions.
requires:
mcp-servers:
- giteeUse a least-privileged Gitee token or account and confirm which identity the MCP server uses before allowing the skill to post comments.
If a local `mcporter` binary is used, MCP calls depend on that local tool's behavior and provenance.
The skill prefers an optional local CLI helper that is not provided or version-pinned in the artifact set.
If you have `mcporter` installed locally, you should use `mcporter` to invoke the MCP tool instead of directly calling the MCP tool.
Only use a trusted, known installation of `mcporter`, or use the configured Gitee MCP tools directly.