ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

pr-reviewer

Automated GitHub PR code review with diff analysis, lint integration, and structured reports. Use when reviewing pull requests, checking for security issues,...

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 5.7k · 44 current installs · 44 all-time installs
byBrian Colinger@briancolinger
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (GitHub PR review with diff analysis and linting) align with the included script and SKILL.md. Required binaries (gh, python3, optional golangci-lint/ruff) are appropriate for the stated functionality.
Instruction Scope
SKILL.md and the script stay within PR-review responsibilities (fetch PRs, analyze diffs, run local linters, generate/post reports). Minor inconsistencies: SKILL.md examples reference scripts/github/pr-reviewer.sh while the included script is scripts/pr-review.sh (path/name mismatch). The skill expects gh to be authenticated (uses gh for repo access) but does not declare environment variables for auth (this is normal because gh stores its own credentials). The instructions propose heartbeat/cron integration which, when combined with write access, can auto-post comments — expected but worth noting.
Install Mechanism
No install spec (instruction-only plus an included script). No remote downloads or archive extraction. Low install risk.
Credentials
The skill requests no environment secrets. It relies on the locally configured gh CLI for GitHub authentication (expected for a GitHub integration). It writes state and report files to the repository working directory (defaults: ./data/pr-reviews.json and ./data/pr-reviews/). This file-write behavior is proportionate to tracking reviews but users should be aware of on-disk state.
Persistence & Privilege
always is false and the skill does not request system-wide persistence or modify other skills. It writes local state and report files (expected). It will operate with whatever privileges the authenticated gh user has (read for analysis, write if posting comments) — SKILL.md documents this.
Assessment
This skill appears to do what it says: it analyzes PR diffs, optionally runs local linters, and can post reports using the gh CLI. Before installing, confirm: (1) which gh account will be used and what repo permissions it has (posting comments requires write access); (2) you are okay with the script writing a state file and reports into the repo working tree (defaults: ./data/pr-reviews.json and ./data/pr-reviews/); (3) the script path mismatch in SKILL.md (scripts/github/pr-reviewer.sh vs included scripts/pr-review.sh) — verify and update the invocation you use; (4) if you automate it via cron/heartbeat, the job will run with the gh user's privileges and may post comments automatically when configured. If you want extra safety, run the script in a read-only mode (check/list/status) or in a separate test repo and inspect generated reports before enabling automatic posting.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.1
Download zip
latestvk9737jje93qy01t0wyrt8w3e8h81enn0

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binsgh, python3
Any bingolangci-lint, ruff

SKILL.md

PR Reviewer

Automated code review for GitHub pull requests. Analyzes diffs for security issues, error handling gaps, style problems, and test coverage.

Prerequisites

  • gh CLI installed and authenticated (gh auth status)
  • Repository access (read at minimum, write for posting comments)
  • Optional: golangci-lint for Go linting, ruff for Python linting

Quick Start

# Review all open PRs in current repo
scripts/github/pr-reviewer.sh check

# Review a specific PR
scripts/github/pr-reviewer.sh review 42

# Post review as GitHub comment
scripts/github/pr-reviewer.sh post 42

# Check status of all open PRs
scripts/github/pr-reviewer.sh status

# List unreviewed PRs (useful for heartbeat/cron integration)
scripts/github/pr-reviewer.sh list-unreviewed

Configuration

Set these environment variables or the script auto-detects from the current git repo:

  • PR_REVIEW_REPO — GitHub repo in owner/repo format (default: detected from gh repo view)
  • PR_REVIEW_DIR — Local checkout path for lint (default: git root of cwd)
  • PR_REVIEW_STATE — State file path (default: ./data/pr-reviews.json)
  • PR_REVIEW_OUTDIR — Report output directory (default: ./data/pr-reviews/)

Directories Written

  • PR_REVIEW_STATE (default: ./data/pr-reviews.json) — Tracks reviewed PRs and their HEAD SHAs
  • PR_REVIEW_OUTDIR (default: ./data/pr-reviews/) — Markdown review reports

What It Checks

CategoryIconExamples
Security🔴Hardcoded credentials, AWS keys, secrets in code
Error Handling🟡Discarded errors (Go _ :=), bare except: (Python), unchecked Close()
Risk🟠panic() calls, process.exit()
Style🔵fmt.Print/print()/console.log in prod, very long lines
TODOs📝TODO, FIXME, HACK, XXX markers
Test Coverage📊Source files changed without corresponding test changes

Smart Re-Review

Tracks HEAD SHA per PR. Only re-reviews when new commits are pushed. Use review <PR#> to force re-review.

Report Format

Reports are saved as markdown files in the output directory. Each report includes:

  • PR metadata (author, branch, changes)
  • Commit list
  • Changed file categorization by language/type
  • Automated diff findings with file, line, category, and context
  • Test coverage analysis
  • Local lint results (when repo is checked out locally)
  • Summary verdict: 🔴 SECURITY / 🟡 NEEDS ATTENTION / 🔵 MINOR NOTES / ✅ LOOKS GOOD

Heartbeat/Cron Integration

Add to a periodic check (heartbeat, cron job, or CI):

UNREVIEWED=$(scripts/github/pr-reviewer.sh list-unreviewed)
if [ -n "$UNREVIEWED" ]; then
  scripts/github/pr-reviewer.sh check
fi

Extending

The analysis patterns in the script are organized by language. Add new patterns by appending to the relevant pattern list in the analyze_diff() function:

# Add a new Go pattern
go_patterns.append((r'^\+.*os\.Exit\(', 'RISK', 'Direct os.Exit() — consider returning error'))

Files

2 total
Select a file
Select a file to preview.

Comments

Loading comments…