PR Auto-Check
AdvisoryAudited by Static analysis on May 11, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill can use the currently authenticated GitHub CLI context to read PR information and can post messages through the supplied Discord webhook.
The skill depends on delegated GitHub authentication and a Discord webhook credential. This is expected for reading PR data and posting notifications, but it is still sensitive authority.
- `gh` CLI authenticated (`gh auth login`) - Discord webhook URL (set as `DISCORD_WEBHOOK` env var or pass `--webhook`)
Use a GitHub account/token with only the needed repository access, keep the Discord webhook secret, and only provide webhooks for channels where PR results may be shared.
Running the PR check may also run another locally installed healthcheck script with the user's normal shell permissions.
When run, the PR checker may execute the first local `healthcheck.sh` it finds in another installed skill directory. That is purpose-aligned with health validation, but the helper's provenance and version are outside this artifact.
HC=$(find ~/.openclaw/skills/healthcheck -name healthcheck.sh -type f 2>/dev/null | head -1)
if [[ -n "$HC" ]]; then
HEALTH_JSON=$(bash "$HC" --json 2>/dev/null || echo '{"max_severity":2,"checks":{}}')Inspect and trust the installed healthcheck skill before using this pipeline, and consider pinning or documenting the exact helper path/version.
PR status, diff summary, and health summary information may be visible in the destination Discord channel or any endpoint supplied as the webhook.
The notification script sends the generated PR/CI/diff/health summary to whatever webhook URL is provided. This is the advertised Discord notification behavior, but it is an external data flow.
curl -s -H "Content-Type: application/json" -d "$PAYLOAD" "$WEBHOOK" >/dev/null
Use only trusted Discord webhook URLs, avoid channels where private repository or service-health details should not be shared, and review sensitive results before posting.