GitHub Smart Code Digest
AdvisoryAudited by VirusTotal on Apr 16, 2026.
Overview
Type: OpenClaw Skill Name: github-smart-code-digest Version: 1.0.0 The skill bundle provides a legitimate workflow for automating GitHub code reviews and publishing summaries to Feishu Wiki. It utilizes the GitHub CLI (`gh`) in workflow.json to fetch PR data and diffs, processes them via an AI review engine, and uses a card renderer for visualization. No evidence of malicious intent, data exfiltration, or unauthorized command execution was found; the use of shell commands and environment variables for API keys is consistent with its stated purpose.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill can read PR and commit data available to the logged-in GitHub account and write pages to the configured Feishu Wiki space.
The skill needs the user's GitHub authenticated CLI context and Feishu app credentials with write access to publish reports.
GitHub CLI (`gh`) 已安装并完成 `gh auth login`; 飞书 App 具备 Wiki 写入权限; `FEISHU_APP_ID`、`FEISHU_APP_SECRET`
Use a least-privilege GitHub account/token and a Feishu app limited to the intended Wiki space; remove or rotate credentials when no longer needed.
Actual GitHub access, AI review, rendering, and Feishu publishing behavior also depends on those separately installed skills.
The combo depends on additional skills that are not included or version-pinned in the provided artifacts.
openclaw install github openclaw install code-review-skill openclaw install card-renderer openclaw install feishu-wiki
Review and install trusted versions of the dependency skills before enabling this workflow, especially in private repositories.
This is expected for GitHub automation, but unsafe parameter handling by the runtime could cause command errors or unintended shell behavior.
The workflow uses shell command templates with interpolated repository and PR parameters.
'list_prs': 'gh pr list --repo ${repo} ...'; 'get_diff': 'gh pr diff ${pr_number} --repo ${repo} > /tmp/pr_${pr_number}.diff'Only use validated repository names and dates, and prefer runtimes that pass arguments safely rather than concatenating shell strings.
Private code changes and review findings may be processed by several components and then become visible in the selected Feishu Wiki space.
PR diffs and review outputs are passed through multiple skills before being published to Feishu.
github → code-review-skill → card-renderer → feishu-wiki; inputs include `diff_files`: `/tmp/pr_*.diff` and `review_data`: `/tmp/digest_reviews.json`
Confirm the data-handling behavior of each dependent skill and publish only to restricted Feishu spaces appropriate for the repository sensitivity.
If enabled, reports can continue to be generated and posted on a schedule without a manual trigger each time.
The skill supports persistent scheduled execution and repeated creation of Wiki report pages.
定时自动推送(推荐) ... `openclaw cron add` ... 飞书 Wiki 每次运行会创建新页面(历史报告保留)
Enable cron only for intended repositories and spaces, monitor generated pages, and remove the schedule when it is no longer needed.