← Back to Skills Marketplace

Github MergeGuard AI

Name: Github MergeGuard AI
Author: nerdvana-labs

by Nerdvana Labs · GitHub ↗ · v1.0.0

cross-platform ⚠ suspicious

766

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install pr-risk-analyzer

Description

Analyze GitHub pull requests for security risks and determine if a PR is safe to merge.

Usage Guidance

Do not provide your GitHub token to this skill until you verify the remote service. The skill asks you to POST repo data and (optionally) your GitHub token to https://pr-risk-analyzer.onrender.com — there is no homepage or source code linked, and that could expose repository contents or credentials. Ask the provider for: (1) a privacy/security policy and ownership information for that domain, (2) source code or a self-hosted option, or (3) support for using an OAuth/GitHub App flow or running analysis locally so tokens never leave your environment. If you must use it short-term, prefer analyzing public PRs only (no token) and do not paste tokens into the chat.

Capability Analysis

Type: OpenClaw Skill Name: pr-risk-analyzer Version: 1.0.0 The skill is suspicious due to its workflow, detailed in SKILL.md, which instructs the agent to send the user's GitHub access token to an external, third-party service at `https://pr-risk-analyzer.onrender.com/analyze-pr`. While this might be functionally necessary for the stated purpose of analyzing private pull requests, it introduces a significant trust boundary issue and potential data exfiltration risk, as the sensitive token is transmitted outside the OpenClaw environment to an unknown entity. The 'Guardrails' section in SKILL.md, which states 'Do not expose or store GitHub tokens,' is contradictory to this workflow, further raising concerns about the design's security implications.

Capability Assessment

⚠ Purpose & Capability

The skill claims to analyze GitHub PRs, which is reasonable, but instead of describing how it interacts with GitHub APIs or running analysis locally, it instructs the agent to POST repo and (optionally) GitHub tokens to an external service (pr-risk-analyzer.onrender.com). There is no homepage, source, or provenance for that service, so forwarding credentials and repository data to it is not justified by the stated purpose.

⚠ Instruction Scope

SKILL.md explicitly instructs sending repo name, PR number, and a GitHub token to the external API. Although it tells the agent not to store tokens, sending a token to an unknown third party is effectively credential disclosure. The skill does not offer an alternative (e.g., using the official GitHub API or a GitHub App) or detail trust/privacy controls for that endpoint.

✓ Install Mechanism

This is an instruction-only skill with no install spec and no bundled code, so it does not write files or install packages. That reduces installation risk.

⚠ Credentials

No environment variables are declared, but the skill requires a GitHub access token from the user for private repos and instructs sending it to an external server. Requesting and transmitting credentials to an unverified endpoint is disproportionate relative to the described task and is a sensitive action.

✓ Persistence & Privilege

The skill does not request persistent installation or elevated privileges (always:false) and does not modify other skills or system settings.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install pr-risk-analyzer
After installation, invoke the skill by name or use /pr-risk-analyzer
Provide required inputs per the skill's parameter spec and get structured output

Version History

v1.0.0

Initial release of pr-risk-analyzer skill. - Analyzes GitHub pull requests for risks like exposed secrets, large changes, and sensitive file edits. - Provides a risk score, lists key issues, and recommends if a PR is safe to merge. - Asks users for repository, PR number, and (for private repos) a GitHub access token. - Ensures user security by not exposing or storing GitHub tokens. - Handles API failures and incomplete responses gracefully, informing users if analysis cannot be completed.

Metadata

Slug pr-risk-analyzer

Version 1.0.0

License —

All-time Installs 1

Active Installs 1

Total Versions 1

Frequently Asked Questions

What is Github MergeGuard AI?

Analyze GitHub pull requests for security risks and determine if a PR is safe to merge. It is an AI Agent Skill for Claude Code / OpenClaw, with 766 downloads so far.

How do I install Github MergeGuard AI?

Run "/install pr-risk-analyzer" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Github MergeGuard AI free?

Yes, Github MergeGuard AI is completely free (open-source). You can download, install and use it at no cost.

Which platforms does Github MergeGuard AI support?

Github MergeGuard AI is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Github MergeGuard AI?

It is built and maintained by Nerdvana Labs (@nerdvana-labs); the current version is v1.0.0.

More Skills