ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

gh-modify-pr

Modify code based on GitHub PR review comments and create a local commit using gh + git. Use when the user asks to "follow PR comments", "fix review comments...

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 274 · 0 current installs · 0 all-time installs
byDaniel Lin@danie1Lin
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description ask for making PR-driven edits; required binaries are gh and git which are exactly what's needed to view PRs, fetch comments, checkout branches, and commit — coherent with the stated purpose.
Instruction Scope
Instructions operate on the local repo and GitHub via gh (view PR, fetch comments, checkout, commit). They do not request unrelated files or external endpoints. NOTE: the workflow will edit files in the agent workspace and commit them locally — this is expected for the task but is an action that will modify user files.
Install Mechanism
Instruction-only skill with no install steps or downloads. Lowest-risk install profile.
Credentials
Requires no declared env vars, which is reasonable, but implicitly depends on local Git/GitHub authentication (SSH keys for git@github.com clone and/or gh authentication or GH_TOKEN). Those credentials live in the environment/tooling but are not explicitly declared — not necessarily malicious, but users should be aware the skill will use existing git/gh auth to access repos.
Persistence & Privilege
always:false (not force-included). The skill will modify local files and can push only with user approval per its rules; it does not request persistent/system-wide privileges or attempt to change other skills' settings.
Assessment
This skill appears to do what it says: it will use the GitHub CLI and git to clone (if needed), check out the PR branch, modify files, and create a local commit. Before installing/using: ensure you trust the agent to modify code in the workspace, keep backups or run in a disposable clone, and verify changes before allowing any push. Note the skill will use your existing GitHub/Git auth (SSH keys or gh login/GH_TOKEN) even though no env vars are declared — confirm those credentials are appropriate for the repo you allow it to access. If you want stricter control, run the workflow in an isolated environment or provide a read-only clone and manually review commits before pushing.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.1
Download zip
latestvk9764kdy64cax9jk7a2zxdar9n81vjbv

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binsgh, git

SKILL.md

gh-modify-pr

Use this workflow for PR-comment-driven changes.

Inputs

  • PR URL (preferred), e.g. https://github.com/owner/repo/pull/123
  • Optional scope from user (e.g. only one comment, all unresolved comments)

Workflow

  1. Parse owner/repo and PR number from URL.
  2. Inspect PR summary:
    • gh pr view <url> --json number,title,headRefName,baseRefName,files,reviews,reviewDecision
  3. Fetch inline review comments:
    • gh api repos/<owner>/<repo>/pulls/<number>/comments
  4. Extract actionable items from comment bodies.
  5. Ensure local repo exists in workspace:
    • If missing: git clone git@github.com:<owner>/<repo>.git
  6. Checkout PR branch in local repo:
    • gh pr checkout <number>
  7. Open affected files and implement requested changes exactly.
  8. Validate changed files quickly (lint/test only if needed or requested).
  9. Commit:
    • git add <files>
    • git commit -m "<clear message>"
  10. Report back with:
  • What changed
  • Commit hash
  • Branch name
  1. Push only if user asks/approves:
  • git push

Rules

  • Prefer minimal diffs that address reviewer intent directly.
  • Do not silently alter unrelated code.
  • If a comment is ambiguous, ask one focused clarification question.
  • If no local repo exists, clone first instead of failing.
  • Include failed attempts in the final operation log when user asks for traceability.

Handy commands

# PR meta
gh pr view <url> --json number,title,headRefName,baseRefName,files,reviews,reviewDecision

# Inline review comments
gh api repos/<owner>/<repo>/pulls/<number>/comments

# Checkout PR branch (inside repo)
gh pr checkout <number>

# Status and commit
git status --short
git add <files>
git commit -m "chore: address PR review comments"

Output template

  • PR: <url>
  • Addressed comments: <n>
  • Changed files:
    • <path>: <summary>
  • Commit: <hash>
  • Branch: <branch>
  • Pushed: yes/no

Files

1 total
Select a file
Select a file to preview.

Comments

Loading comments…