Repo PR Triage
ReviewAudited by ClawScan on May 10, 2026.
Overview
Prompt-injection indicators were detected in the submitted artifacts (ignore-previous-instructions, you-are-now); human review is required before treating this skill as clean.
This skill appears safe for normal PR triage if you are comfortable letting it read the target repository through your gh login. Review outputs before acting on recommendations, treat PR/README content as untrusted, and be cautious with the optional cron/Telegram setup for private repositories. ClawScan detected prompt-injection indicators (ignore-previous-instructions, you-are-now), so this skill requires review even though the model response was benign.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill can access GitHub PR and repository metadata with the same read permissions as the user's gh login.
The skill uses the user's authenticated GitHub CLI session. That is expected for repo triage, but it means the skill may read data available to that GitHub account, including private repository PRs if the user points it there.
- `gh` CLI installed and authenticated (`gh auth login`)
Use it only on repositories you intend to triage, and prefer a GitHub account/token with the least privileges needed.
A malicious README or PR description could try to influence the agent's reasoning if the agent treats repository text as instructions instead of data.
The onboarding script embeds fetched repository README content into a prompt used by the agent. Repository text is untrusted and could contain prompt-injection instructions, even though using repo context is purpose-aligned.
### README excerpt:\n```\n{readme_snippet}\n```\n...\nAdapt based on the repo context above.Treat README, issue, and PR text as untrusted data; do not let it override the user's goals or tool-use boundaries.
Users relying only on metadata may not realize the skill depends on local Python execution and an authenticated GitHub CLI.
The runtime requirements are disclosed in SKILL.md, but the registry metadata lists no required binaries or credentials. This is an under-declaration rather than hidden behavior.
Requirements\n\n- `gh` CLI installed and authenticated (`gh auth login`)\n- Python 3.10+
Before using, confirm Python and gh are installed, authenticated intentionally, and pointed at the expected GitHub account.
A weekly job could continue scanning and producing reports until the user disables it.
The skill documents an optional recurring workflow. It is not installed automatically, but if configured it creates ongoing scheduled agent activity.
## Recurring Triage via Cron\n\nSet up a cron job to scan weekly:
Only enable the cron example if you want recurring triage, and keep the repo URL, schedule, output path, and notification channel explicit.
If used on private repositories, summary details could be shared outside the local machine through Telegram.
The optional cron example sends triage summaries through Telegram. This is disclosed and user-directed, but it can move repository/PR information into an external messaging channel.
channel: telegram\n...\nCron prompt: "Run pr-triage scan ... generate reports, and send the summary."
Avoid external notifications for sensitive repositories, or ensure the Telegram destination is trusted and the summary contains only acceptable information.