PR Automate Check
ReviewAudited by ClawScan on May 11, 2026.
Overview
The skill matches its PR-checking purpose, but it uses authenticated GitHub access, optional Discord posting, and an external local healthcheck script with incomplete declarations and ambiguous repository scoping.
Review this skill before installing. It is not clearly malicious, but you should make sure it runs in the correct GitHub repository, uses only the intended GitHub account, and posts only to a trusted Discord webhook. Be especially careful before wiring it into cron or PR-event automation.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill may use your existing GitHub login to read PR diffs and status checks, and if run from the wrong repository context it could check the wrong PR.
The skill requires an authenticated local GitHub CLI profile, but registry metadata declares no primary credential or required configuration. The script also uses only the PR number, which leaves the GitHub account/repository context dependent on the local environment.
`gh` (GitHub CLI) — authenticated
Declare the GitHub credential requirement and update the script to parse owner/repo from the PR URL and pass an explicit repository to `gh`, or require users to run it only from the intended repository.
A user or automation system could provide one PR URL while the script reads metadata or diffs from a different repository, leading to incorrect review results or unintended exposure of PR information in the agent session.
Although the documentation says the input is a full GitHub PR URL, the script ignores the URL owner and repository and runs `gh pr diff` against the current GitHub CLI repository context.
if [[ "$PR_URL" =~ /pull/([0-9]+) ]]; then
PR_NUM="${BASH_REMATCH[1]}"
gh pr diff "$PR_NUM" > "$tmpdir/diff.txt"Validate the full PR URL, extract owner/repo/PR number, and call GitHub CLI with an explicit repository argument.
Running this PR check may also execute another installed OpenClaw skill under your user account.
The script automatically runs an optional local healthcheck skill if present. This dependency is disclosed, but that external script is not part of the reviewed artifact set.
bash ~/.openclaw/skills/healthcheck/healthcheck.sh --json > "$health_file"
Install the healthcheck skill only from a trusted source and review what it does before relying on this automation.
PR links and service health summaries may be posted to a Discord channel or any endpoint supplied as the webhook URL.
When a webhook URL is provided, the script sends the PR URL and health summary to that external Discord webhook. This is disclosed and purpose-aligned, but users should understand the data flow.
curl -sS -X POST "$DISCORD_WEBHOOK" \
-H 'Content-Type: application/json' \
-d "$payload"Use only trusted Discord webhook URLs and avoid sending private PR or health information to channels where it should not be shared.
If wired into cron or a webhook, the skill may run automatically for PR events without a person reviewing each invocation.
The documentation suggests user-configured recurring or event-driven execution. The skill does not install persistence itself, but automatic execution would repeatedly use GitHub CLI and optional Discord posting.
To run automatically on PR events, set up a cron job or webhook that calls:
bash {baseDir}/scripts/pr-check.sh <PR_URL> <WEBHOOK>Only enable automated triggering after confirming repository scoping, webhook destination, and failure behavior.