ClawHub

Pull Request Reviewer

v1.0.0

Use when the user wants a local review of a GitHub pull request based on its diff, risks, quality, performance, tests, and security implications.

0· 36·0 current·0 all-time
by@wimi321
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name and description match the runtime instructions: the skill focuses on reading a PR diff/metadata and producing a review. It does not request unrelated binaries, credentials, or system access.
Instruction Scope
SKILL.md instructs the agent to resolve PR numbers, read PR metadata and full diffs and produce structured findings. This stays within the stated purpose. It is slightly ambiguous about whether the agent should fetch diffs from GitHub itself (which would require network access or a token) versus relying on a user-supplied diff — the skill does not declare any credentials or network steps.
Install Mechanism
There is no install spec and no code files beyond simple metadata and provenance docs, so nothing is written to disk or downloaded by the skill itself.
Credentials
The skill declares no required environment variables, credentials, or config paths. This is proportionate to an instruction-only reviewer that operates on supplied diffs. (If you intend the agent to fetch private PRs, you may need to provide a GitHub token externally — that is not requested by the skill itself.)
Persistence & Privilege
always is false and there is no indication the skill requests persistent system-wide changes or modifies other skills' configs. It does not ask for persistent privileges.
Assessment
This appears low-risk: it only describes reading diffs and producing reviews and has no installers or credential requests. Before using, consider: (1) avoid pasting sensitive secrets into diffs you give the skill; (2) if you want the agent to fetch private PRs, provide a least-privileged GitHub token and be aware the skill does not itself declare how it will use it; (3) the skill's source is unknown — if provenance matters, verify origin before granting any external access or tokens.

Like a lobster shell, security has layers — review code before you run it.

claude-codevk971vprkt6bk57defsdzd9s7td843p9jextractedvk971vprkt6bk57defsdzd9s7td843p9jlatestvk971vprkt6bk57defsdzd9s7td843p9j

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments