CR Automated
ReviewAudited by ClawScan on May 11, 2026.
Overview
This code-review skill is mostly coherent, but it can move from reviewing into changing and pushing code without clearly requiring your approval.
Use this skill cautiously for read-only review tasks. Before letting it act, make sure it will not run `git add .`, commit, or push unless you explicitly approve the exact diff and target branch. Also confirm your GitHub CLI account has appropriate permissions and that any hardcoded-secret examples in the docs are treated only as examples.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked for a review, the agent could alter files, stage unrelated changes, publish commits to the remote branch, and trigger CI or deployment workflows.
A review-focused skill is instructed to modify the repository and push commits. `git add .` is broad and there is no explicit requirement to ask the user before committing or pushing.
**自分のPRでCI失敗の場合:** ... **修正を実施** ... `git add .` ... `git commit -m "fix: resolve CI failures"` ... `git push`
Require explicit user approval before any file modification, commit, or push; replace `git add .` with a reviewed file list; show the diff before committing; and keep default review behavior read-only.
The agent may access PR metadata, diffs, and CI logs available to the authenticated GitHub account.
The skill uses GitHub CLI commands that operate under the user's GitHub authentication. This is expected for PR review, but users should understand it uses their account permissions.
`gh pr view <PR番号> --json statusCheckRollup` ... `gh pr diff <PR番号>` ... `gh run view <run-id> --log-failed` ... `gh auth login`
Use a least-privileged GitHub account or token where possible, and confirm repository/organization access before letting the agent run GitHub CLI commands.
The skill may fail or prompt setup steps if Git or GitHub CLI is unavailable, and installing tools via a package manager adds normal local supply-chain considerations.
The skill is instruction-only, but its documented workflow depends on external local tools. The GitHub CLI setup is disclosed and purpose-aligned, but it is not represented in the registry requirements.
## Dependencies - Git (変更差分の確認用) - GitHub CLI (`gh`) ... ```bash brew install gh gh auth login ```
Install GitHub CLI only from trusted sources and verify the `gh` binary and authentication method before using the skill.
Local agent guidance could change how the review is performed or what the agent prioritizes.
The skill references a local persistent guidance file outside the supplied artifacts. That can be legitimate customization, but it means review behavior may depend on local context not reviewed here.
このスキルは、以下のガイドライン(`~/.claude/CLAUDE.md`)に基づいた体系的なコードレビューを提供します
Review `~/.claude/CLAUDE.md` for outdated, unsafe, or overly broad instructions before relying on this skill.