by 安全扫描
OpenClaw
安全
medium confidenceThe skill is internally consistent with a GitHub PR code-review assistant: it relies on the GitHub CLI and local git data, has no install steps or requested secrets, and its instructions stay within the stated purpose — but there are small documentation/integration inconsistencies you should confirm before installing.
评估建议
This skill largely does what it says: it expects the GitHub CLI and access to the repository (local git or network-accessible PR) and will use those to read PR data, git history, and optionally post comments. Before installing or using it: 1) Confirm your environment has gh authenticated with the intended GitHub account and that you are comfortable that the skill will act with those permissions. 2) Ask the author or maintainer what 'sessions_spawn' is and whether spawned agents make external mod...详细分析 ▾
✓ 用途与能力
The name/description (PR/code-diff review with multiple agents and confidence filtering) matches the runtime instructions: using gh to fetch PR data, running git blame/log, summarizing diffs, and optionally posting comments. Requiring the GitHub CLI and a local git context is appropriate for this purpose.
ℹ 指令范围
Instructions stay within code-review scope (fetch PR details, read CLAUDE.md, run diffs, run git blame/log, produce structured report, optionally post gh comments). Two minor concerns: (1) the runtime uses a 'sessions_spawn' mechanism to start parallel agents but the skill doesn't document where that utility comes from or whether it spawns external model calls — you should confirm the platform has this facility and how spawned agents are authorized; (2) the built-in aggressive filtering (only reporting ≥80 confidence and excluding pre-existing issues) may suppress valid findings; ensure you understand the filter semantics.
✓ 安装机制
This is an instruction-only skill with no install spec, no downloads, and no packages to write to disk — lowest install risk. It does assume 'gh' (GitHub CLI) and a git repository are available; README mentions this.
ℹ 凭证需求
The skill requests no env vars or credentials. However, it relies on the user's GitHub CLI authentication (gh auth) and local git repo state to read and post PR comments. That is proportionate for a PR-commenting tool but means the skill will operate using whatever permissions the configured 'gh' session has — verify your gh login is scoped appropriately before running the skill.
✓ 持久化与权限
always:false and no persistent system modifications are requested. The skill does include an optional action to post PR comments (via gh pr comment) only when the user explicitly requests '发布评论' or uses --comment; verify that behavior before granting broad automation rights.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.12026/4/9
- No file or documentation changes detected in this version. - Functionality and workflow remain unchanged from the previous release.
● 无害
安装命令
点击复制官方npx clawhub@latest install openclaw-code-review-skill
镜像加速npx clawhub@latest install openclaw-code-review-skill --registry https://cn.longxiaskill.com