Universal Release
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This looks like a legitimate release helper, but it can edit release files and use your local GitHub CLI context, so review changes before applying them.
Before installing or invoking this skill, run it in dry-run mode, check the active GitHub CLI account, and review any changelog/version diffs before committing, tagging, or pushing a release. The provided SKILL.md excerpt was truncated, so avoid assuming unshown release steps are safe without reviewing the full instructions.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may inspect commit history and modify changelog files as part of preparing a release.
The workflow uses git commands and writes changelog entries. This is expected for a release workflow, but it can change repository files.
git log ${LAST_TAG}..HEAD --oneline ... git diff ${LAST_TAG}..HEAD --stat ... Insert at file head (preserve existing content)Use the `--dry-run` option first and review the generated diff before allowing release file changes.
If run in a private repository, the agent may use your GitHub CLI login to read PR and repository metadata for contributor attribution.
The skill may use the GitHub CLI, which normally relies on the user's local GitHub authentication. The shown usage is read-only and purpose-aligned.
gh pr view <number> --json author --jq '.author.login' ... gh repo view --json owner --jq '.owner.login'
Confirm which GitHub account is active in `gh` and only run this in repositories where that access is appropriate.
The skill may fail or behave differently depending on whether git and GitHub CLI are installed and authenticated.
The metadata does not declare runtime dependencies or credential expectations, while the supplied workflow references git and gh commands. This is a setup clarity issue, not evidence of hidden code.
Required binaries (all must exist): none ... Env var declarations: none ... Primary credential: none
Verify required tools and authentication before using the skill, especially in private repositories.