Code Review
ReviewAudited by ClawScan on May 11, 2026.
Overview
This is mostly a normal code-review instruction skill, but it can tell the agent to edit, commit, and push repository changes without an explicit approval step.
Install only if you are comfortable with a review helper that may use GitHub CLI and local project commands. Before allowing it to fix CI failures, require it to show the diff and ask for confirmation before staging, committing, pushing, or running project scripts from untrusted code.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could unintentionally commit and push broad local changes, including unrelated files, to a remote repository.
The skill instructs the agent to modify code and push commits for CI failures, and `git add .` can stage unrelated local changes. There is no explicit instruction to ask the user before committing or pushing.
**自分のPRでCI失敗の場合:** ... **修正を実施** ... `git add .` ... `git commit -m "fix: resolve CI failures"` ... `git push`
Require explicit user approval before edits, commits, or pushes; stage only reviewed files; show the diff before committing; and prefer making review recommendations unless the user asks for fixes.
Actions may run with the user's GitHub permissions, so the agent may be able to read private repository data or affect repositories the user can write to.
The skill relies on the user's authenticated GitHub CLI session to view PRs, CI checks, and potentially push repository changes.
**注意**: PRのCI/CDステータス確認には`gh`コマンドが必要です。... `gh auth login`
Use a least-privileged GitHub account/token where possible and confirm the target repository and branch before allowing write actions.
If used on untrusted code, local test/build scripts could run arbitrary project commands on the user's machine.
The review workflow recommends running project-defined scripts. This is common for CI verification but can execute commands defined by the repository under review.
`npm run type-check` ... `npm run lint` ... `npm test` ... `npm run build` ... `npm run ci`
Run project scripts only for trusted repositories or inside a sandbox/container, and ask before executing scripts from a PR or unfamiliar project.
Users may be prompted to install or authenticate additional tooling that the registry metadata did not flag.
Registry requirements say no required binaries, but the skill documentation depends on Git and GitHub CLI. The dependency is disclosed and relevant, but not reflected in metadata.
## Dependencies - Git ... - GitHub CLI (`gh`) ... ... `brew install gh`
Declare Git and GitHub CLI requirements in metadata, and keep setup instructions limited to official package sources.