Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
PR Review
v0.2.1GitHub PR code review - fetches the diff, runs automated checks, launches 3 parallel review agents (correctness, convention compliance, efficiency) to analyz...
⭐ 0· 83·0 current·0 all-time
byMisha Kolesnik@tenequm
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
high confidencePurpose & Capability
The SKILL.md implements a GitHub PR review flow that expects a local git repo, the GitHub 'gh' CLI, and the ability to post reviews. However, the declared requirements list no binaries, no config paths, and no primary credential. At minimum 'gh' (and git) and user authentication for GitHub are required for the described behavior. The presence of evaluation fixtures that create a mock gh CLI suggests tests assume the operator will add a mock to PATH — but that is not the same as the skill declaring its real runtime dependencies.
Instruction Scope
The instructions instruct the agent to clone/check out PRs, run local validation commands (from CLAUDE.md), read every changed file, and launch three parallel review sub-agents with model: 'opus' while wrapping PR content as untrusted. Those operations are in-scope for a PR reviewer, but the SKILL.md also requires model-based sub-agent invocation while the skill metadata sets disable-model-invocation: true (contradiction). The skill reads repository files and may clone into /tmp; it explicitly forbids executing arbitrary commands found in PR content, which is good, but the mismatch between declared capabilities and the runtime instructions is a practical problem.
Install Mechanism
There is no install specification (instruction-only), which minimizes automatic disk writes. The package does include evaluation fixture scripts and mock 'gh' creation scripts used for local testing; these are test artifacts that a user would need to run manually to reproduce evals. No external downloads or installers are embedded in the skill.
Credentials
The skill will interact with GitHub via the 'gh' CLI and may need to post reviews, but it declares no required environment variables (no GITHUB_TOKEN/GH_TOKEN). That omission is disproportionate: either the operator must already have GH auth configured for 'gh', or the skill should declare and request credentials. The SKILL.md's requirement that reviews be posted only after explicit user confirmation mitigates auto-post risk, but the credential omission remains an inconsistency.
Persistence & Privilege
The skill does not request persistent 'always' privileges (always: false), which is appropriate. However, the metadata sets disable-model-invocation: true while the instructions explicitly rely on launching multiple model-driven sub-agents (Agent tool with model: 'opus'). This mismatch affects whether the skill can perform its stated behavior and is a governance/privilege inconsistency that should be resolved before trusting the skill.
What to consider before installing
This skill's behavior (cloning/checking out PRs, running local validation, launching three parallel model-based review agents, and preparing GitHub reviews) is reasonable for a PR-reviewer, but the packaging is inconsistent. Before installing or running: (1) verify you have the GitHub 'gh' CLI and git on PATH and that 'gh' is authenticated (it will need permission to read the repo and, if you post reviews, to write), (2) confirm whether your platform allows the skill to invoke models — the SKILL.md expects sub-agents but the skill metadata sets disable-model-invocation: true, so ask the publisher to clarify/fix this, (3) treat evaluation fixture scripts as test-only — they create a mock 'gh' but are not a runtime install; don't run untrusted setup scripts unless you inspect them, (4) test the skill in a sandboxed environment (non-production account) to confirm actual behavior and that it will not auto-post reviews, and (5) ask the publisher to update metadata to declare required binaries and any needed environment variables (e.g., GITHUB_TOKEN or GH auth) and to remove the contradictory disable-model-invocation flag. If the publisher cannot explain or fix these mismatches, avoid granting the skill access to real repositories or credentials.Like a lobster shell, security has layers — review code before you run it.
latestvk971h583s83j3bdew4baxaav0584g9x2
License
MIT-0
Free to use, modify, and redistribute. No attribution required.