📦 Github MergeGuard AI — PR安全检测

v1.0.0

实时监控 GitHub Pull Request，AI 自动扫描代码差异与依赖变更，识别潜在漏洞、恶意提交及配置风险，输出可合并安全评分与修复建议。

0· 702·1 当前·1 累计

by @nerdvana-labs (Nerdvana Labs)

安全开发工具自动化 API工具工作流

下载技能包

最后更新

2026/4/22

安全扫描

VirusTotal

可疑

查看报告

OpenClaw

可疑

high confidence

NULL

评估建议

Do not provide your GitHub token to this skill until you verify the remote service. The skill asks you to POST repo data and (optionally) your GitHub token to https://pr-risk-analyzer.onrender.com — there is no homepage or source code linked, and that could expose repository contents or credentials. Ask the provider for: (1) a privacy/security policy and ownership information for that domain, (2) source code or a self-hosted option, or (3) support for using an OAuth/GitHub App flow or running an...

详细分析 ▾

⚠ 用途与能力

The skill claims to analyze GitHub PRs, which is reasonable, but instead of describing how it interacts with GitHub APIs or running analysis locally, it instructs the agent to POST repo and (optionally) GitHub tokens to an external service (pr-risk-analyzer.onrender.com). There is no homepage, source, or provenance for that service, so forwarding credentials and repository data to it is not justified by the stated purpose.

⚠ 指令范围

SKILL.md explicitly instructs sending repo name, PR number, and a GitHub token to the external API. Although it tells the agent not to store tokens, sending a token to an unknown third party is effectively credential disclosure. The skill does not offer an alternative (e.g., using the official GitHub API or a GitHub App) or detail trust/privacy controls for that endpoint.

✓ 安装机制

This is an instruction-only skill with no install spec and no bundled code, so it does not write files or install packages. That reduces installation risk.

⚠ 凭证需求

No environment variables are declared, but the skill requires a GitHub access token from the user for private repos and instructs sending it to an external server. Requesting and transmitting credentials to an unverified endpoint is disproportionate relative to the described task and is a sensitive action.

✓ 持久化与权限

The skill does not request persistent installation or elevated privileges (always:false) and does not modify other skills or system settings.

安全有层次，运行前请审查代码。

运行时依赖

无特殊依赖

版本

latestv1.0.02026/2/17

NULL

● 可疑

安装命令

点击复制

官方npx clawhub@latest install pr-risk-analyzer

镜像加速npx clawhub@latest install pr-risk-analyzer --registry https://cn.longxiaskill.com

数据来源：ClawHub ↗ · 中文优化：龙虾技能库