ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

PR Review Assistant

v1.0.0

Automated pull request review providing detailed feedback on correctness, security, performance, maintainability, testing, and best practices.

0· 0·0 current·0 all-time
by@charlie-morrison

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for charlie-morrison/pr-review-assistant.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "PR Review Assistant" (charlie-morrison/pr-review-assistant) from ClawHub.
Skill page: https://clawhub.ai/charlie-morrison/pr-review-assistant
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Canonical install target

openclaw skills install charlie-morrison/pr-review-assistant

ClawHub CLI

Package manager switcher

npx clawhub@latest install pr-review-assistant
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill's name and description (automated PR review) align with the included script, which collects diffs and file lists. However, the SKILL.md and the script rely on git and optionally the GitHub CLI (gh), but the registry metadata lists no required binaries or credentials. The SKILL.md also claims richer AI review capabilities ('understands project context', 'identifies patterns across multiple changed files', 'suggests specific fixes') that are not implemented in the included script (the script only gathers diffs/stats and prints them). This mismatch between claimed capabilities and actual artifacts is incoherent.
Instruction Scope
SKILL.md instructs running the included script and (optionally) using gh to fetch PR diffs. The instructions do not ask the agent to access unrelated system files or external endpoints. However the 'AI Enhancement' section explicitly encourages the agent to use repository context beyond the diff; that would legitimately require reading repository files, which is expected for a reviewer but expands runtime scope. The SKILL.md does not constrain what project files the agent may read, so an agent could end up reading any repo file if allowed.
Install Mechanism
There is no install spec (instruction-only with a small helper script). That minimizes install-time risk—nothing is downloaded or written by an installer.
Credentials
The skill declares no required environment variables or credentials, which is appropriate. But the script invokes the GitHub CLI (gh) when a PR number is requested; gh requires authentication to GitHub (tokens/config stored elsewhere). The skill omits documenting that gh must be authenticated and does not request or declare a primary credential—this omission should be addressed so users know what permissions are needed.
Persistence & Privilege
The skill is not always-enabled and does not request persistent privileges. It does not modify other skills or system settings. Autonomous invocation is allowed by default but is not combined with other high-risk indicators here.
What to consider before installing
This skill appears to be a small helper that collects diffs for an AI reviewer, but there are two things to be cautious about: - Missing declared requirements: The script calls git and (optionally) gh but the skill metadata didn't list those binaries. Ensure git and gh are present and that gh is authenticated only with an account/token you trust. - Overpromised AI behavior: SKILL.md claims advanced cross-file, repository-aware suggestions, but the included script only gathers diffs and stats. If you rely on the agent to perform in-depth review, inspect whatever AI-side code/config will run with this skill (the agent's model prompts and what files it will be allowed to read). Give the skill least privilege: run it locally first, confirm outputs, and restrict the agent's repository file access if possible. Recommended actions before installing: run scripts/pr_review.py locally to confirm behavior, verify no unexpected network endpoints or credential usage are introduced at runtime, and if you enable autonomous invocation, limit its repository/file read scope and monitor gh authentication tokens used by the environment.

Like a lobster shell, security has layers — review code before you run it.

latestvk975hvgtd6qz2wyn330c1jr1p185mnt4
0downloads
0stars
1versions
Updated 3h ago
v1.0.0
MIT-0
@charlie-morrison
latest
Download

PR Review Assistant

Automated pull request review with structured feedback on code quality, security, performance, and best practices. Use when reviewing PRs, preparing code for review, or setting up automated review workflows.

Usage

# Review current branch changes against main
python3 scripts/pr_review.py

# Review specific PR (requires gh CLI)
python3 scripts/pr_review.py --pr 42

# Review staged changes only
python3 scripts/pr_review.py --staged

# Review with specific focus areas
python3 scripts/pr_review.py --focus security,performance

Review Categories

The assistant evaluates code across 6 dimensions:

1. Correctness

  • Logic errors, off-by-one, null handling
  • Missing edge cases
  • Incorrect type usage

2. Security

  • Injection vulnerabilities (SQL, XSS, command)
  • Hardcoded secrets or credentials
  • Insecure deserialization
  • Missing input validation

3. Performance

  • N+1 queries, unnecessary loops
  • Memory leaks, unbounded growth
  • Missing indexes on queried fields
  • Inefficient algorithms

4. Maintainability

  • Dead code, unused imports
  • Functions doing too much
  • Unclear naming
  • Missing or excessive comments

5. Testing

  • Are new code paths covered?
  • Missing edge case tests
  • Test quality (assertions, mocking)

6. Best Practices

  • Framework-specific patterns
  • Error handling conventions
  • API design consistency
  • Documentation updates needed

Output Format

## PR Review Summary

**Risk Level:** 🟢 Low / 🟡 Medium / 🔴 High

### Must Fix (blocking)
- [file:line] Description of critical issue

### Should Fix (non-blocking)
- [file:line] Description of improvement

### Consider (optional)
- [file:line] Suggestion for better approach

### Positive Notes
- What was done well

Parameters

ParameterDescriptionDefault
--prGitHub PR numberNone (uses diff)
--baseBase branch to comparemain
--stagedReview staged changes onlyfalse
--focusComma-separated focus areasAll
--severityMinimum severity to reportlow
--formatOutput format: markdown, json, github-commentmarkdown
--max-filesMax files to review50

AI Enhancement

When used as an agent skill, the AI reviewer:

  • Understands project context from surrounding code, not just the diff
  • Identifies patterns across multiple changed files
  • Suggests specific code fixes, not just descriptions of problems
  • Learns from repository conventions and applies them consistently
  • Generates review comments in the project's preferred style

Comments

Loading comments...