GitHub Development Standard
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This is an instruction-only GitHub development workflow; its command examples are relevant, but users should review before running commands that execute tests or change GitHub issues.
This skill appears safe as an instruction-only checklist for GitHub development. Before using it, remember that its example commands can run local project code and can comment on or close GitHub issues, so confirm targets and actions before execution.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If these examples are used without checking the target repository and issue, the agent or user could comment on or close the wrong GitHub issue.
The skill documents GitHub CLI commands that can post comments and close issues. This is aligned with the GitHub development workflow, but it can affect a repository if run.
gh issue comment 53 --repo owner/repo --body "修复说明..." gh issue close 53 --repo owner/repo
Require explicit confirmation before posting comments or closing issues, and verify the repository, issue number, and message body.
Running project tests or scripts may execute local repository code, which is normal for development but should be limited to trusted projects.
The workflow recommends running local Python validation and test commands. This is expected for a development workflow, but it executes project code.
python3 test_fix.py python3 -m pytest tests/
Run these commands only in the intended repository and avoid executing tests or scripts from untrusted code without appropriate isolation.