Code Review
WarnAudited by ClawScan on May 11, 2026.
Overview
This is mostly a code-review guide, but it can go beyond reviewing by fixing, committing, and pushing code with your GitHub privileges without clear confirmation.
Use this skill as a review assistant only if you are comfortable with its GitHub and local-command workflow. Before use, set a rule that it must ask before running project scripts, staging files, committing, or pushing. Prefer read-only GitHub access for review-only tasks and use a sandbox for untrusted repositories.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A review request could turn into remote repository changes made under the user's account.
These instructions tell the agent to stage all local changes, commit, and push them when handling CI failures on the user's PR. That can publish unintended files or code changes if not explicitly approved and scoped.
git add . git commit -m "fix: resolve CI failures" git push
Require explicit user approval before any write action, replace `git add .` with a reviewed file list, show the diff before committing, and only push when the user specifically asks.
The agent may act with whatever repository permissions the signed-in GitHub account has.
The skill expects GitHub CLI authentication and also documents GitHub/PR operations and pushes, but the registry metadata declares no primary credential. Authenticated GitHub access is expected for PR review, but the scope and write authority are not clearly bounded.
# 認証 gh auth login
Use least-privilege GitHub credentials, prefer read-only access for review-only tasks, and document exactly when write operations are allowed.
If the repository or PR is untrusted, local test/build scripts could run unsafe code on the user's machine.
Running local project scripts is a normal way to reproduce CI failures, but those scripts can execute code from the repository being reviewed.
npm run build npm run type-check npm test npm run ci
Run project commands only in trusted repositories or in a sandbox/container, especially for third-party PRs.
Review behavior may depend on local persistent instructions outside the skill itself.
The skill says it bases reviews on a persistent local Claude guideline file. This is purpose-aligned, but persistent instructions can influence future reviews if they are stale or modified unexpectedly.
ガイドライン(`~/.claude/CLAUDE.md`)に基づいた体系的なコードレビュー
Keep `~/.claude/CLAUDE.md` reviewed and trusted, and do not place secrets or untrusted instructions in it.