Smart PR Review

Opinionated AI code reviewer — not a yes-machine. 6-layer deep review (logic, edge cases, performance, security, maintainability, architecture) with Devil's...

What to check before installing or running this skill: - Metadata vs code mismatch: The registry says 'no env vars required' but README/index.ts expect GITHUB_TOKEN and GITHUB_WEBHOOK_SECRET (and possibly ANTHROPIC_API_KEY). Treat those as required if you plan to run the provided webhook server. - If you only want ad-hoc local reviews via the agent/gh CLI path, you do not need to run the server, but the skill will run gh/git commands and read repository files and diffs — ensure you run it in the intended repo and understand it may send diffs to an external model endpoint. - Inspect index.ts (complete file) before running: search for any network endpoints beyond api.github.com and your configured AI provider (Anthropic/OpenAI). Confirm the code only sends review content to those expected endpoints. - Principle of least privilege: If you run the webhook, give GITHUB_TOKEN the minimum scope needed (repo:status/repo:pulls as applicable) and keep the webhook secret private. Run the service in an isolated environment. - Sensitive-data handling: The skill will transmit code and diffs to external AI services if configured (e.g., ANTHROPIC_API_KEY). Do not expose proprietary or secrets-containing diffs to external models unless you accept that risk. - If you plan to self-host: follow README's npm/install steps (they are not in registry metadata). Audit dependencies and run in a controlled environment. - If you expect a purely instruction-only skill, be cautious — the presence of index.ts and webhook instructions means there is optional server behavior that requires credentials. Ask the publisher or inspect the full code to confirm exactly where data is sent and what is persisted. If you want, I can: (1) scan the full index.ts for outgoing endpoints and model API usage, (2) highlight every place environment variables are read, or (3) list concrete minimal GitHub token scopes needed for safe operation.

Type: OpenClaw Skill Name: smart-pr-review Version: 1.0.1 The 'smart-pr-review' skill is a legitimate AI-powered code analysis tool designed to perform deep technical reviews of GitHub Pull Requests and local git diffs. It utilizes standard system tools (git, gh CLI) and external APIs (GitHub, Anthropic) to fetch code and generate structured feedback. The implementation in 'index.ts' includes proper security practices such as HMAC-SHA256 signature verification for webhooks and timing-safe comparisons. While the skill requires significant permissions (Bash, WebFetch) and sensitive API keys to function, all code logic and markdown instructions are strictly aligned with its stated purpose of code quality and security auditing, with no evidence of malicious intent or data exfiltration.