ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Github MergeGuard AI

v1.0.0

Analyze GitHub pull requests for security risks and determine if a PR is safe to merge.

0· 674·1 current·1 all-time
byNerdvana Labs@nerdvana-labs
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill claims to analyze GitHub PRs, which is reasonable, but instead of describing how it interacts with GitHub APIs or running analysis locally, it instructs the agent to POST repo and (optionally) GitHub tokens to an external service (pr-risk-analyzer.onrender.com). There is no homepage, source, or provenance for that service, so forwarding credentials and repository data to it is not justified by the stated purpose.
!
Instruction Scope
SKILL.md explicitly instructs sending repo name, PR number, and a GitHub token to the external API. Although it tells the agent not to store tokens, sending a token to an unknown third party is effectively credential disclosure. The skill does not offer an alternative (e.g., using the official GitHub API or a GitHub App) or detail trust/privacy controls for that endpoint.
Install Mechanism
This is an instruction-only skill with no install spec and no bundled code, so it does not write files or install packages. That reduces installation risk.
!
Credentials
No environment variables are declared, but the skill requires a GitHub access token from the user for private repos and instructs sending it to an external server. Requesting and transmitting credentials to an unverified endpoint is disproportionate relative to the described task and is a sensitive action.
Persistence & Privilege
The skill does not request persistent installation or elevated privileges (always:false) and does not modify other skills or system settings.
What to consider before installing
Do not provide your GitHub token to this skill until you verify the remote service. The skill asks you to POST repo data and (optionally) your GitHub token to https://pr-risk-analyzer.onrender.com — there is no homepage or source code linked, and that could expose repository contents or credentials. Ask the provider for: (1) a privacy/security policy and ownership information for that domain, (2) source code or a self-hosted option, or (3) support for using an OAuth/GitHub App flow or running analysis locally so tokens never leave your environment. If you must use it short-term, prefer analyzing public PRs only (no token) and do not paste tokens into the chat.

Like a lobster shell, security has layers — review code before you run it.

latestvk979t8zkxp5y6k7mcnqd5c90hh81b7b7

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments