Is pr-reviewer safe?

https://clawhub.ai/briancolinger/pr-reviewer

52
CAUTION

The 'pr-reviewer' skill is functionally empty — it delivers no SKILL.md content, no code, and no configuration. While it poses no immediate active threat, it exhibits two significant red flags: (1) the SKILL.md is empty, meaning the skill does nothing despite claiming to be a PR reviewer, and (2) the lock.json references a completely different skill ('academic-research-hub'), suggesting possible registry manipulation or dependency confusion. This pattern is consistent with name-squatting or trojan staging where a benign placeholder is installed first and malicious content pushed in a future update.

Category Scores

Prompt Injection 40/100 · 30%
Data Exfiltration 80/100 · 25%
Code Execution 90/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 20/100 · 5%

Findings (6)

HIGH Empty SKILL.md — no declared behavior or boundaries -35

The skill's SKILL.md file is completely empty. This means the skill provides zero instructions to the agent, zero scope boundaries, and zero declared capabilities. While this prevents active prompt injection, it is highly anomalous — a legitimate skill should declare what it does. An empty SKILL.md could be a placeholder awaiting a future malicious update that would inherit the user's prior trust decision.

HIGH Skill identity mismatch in lock.json -25

The lock.json file references 'academic-research-hub' as the installed skill, but the actual skill being installed is 'pr-reviewer'. This metadata inconsistency suggests either a registry-level issue, a skill substitution attack, or broken tooling. If the agent or tooling resolves dependencies via lock.json, it could load a different skill than what the user approved.

MEDIUM Trojan placeholder risk — empty skill with misleading name -40

The skill occupies the 'pr-reviewer' name on the registry but delivers no content. This pattern is consistent with name-squatting or trojan staging: claim a desirable name, get users to install the empty (safe) version, then push a malicious update later. Users who auto-update or re-install would receive the payload without re-auditing.

MEDIUM Dependency confusion via mismatched lock.json -40

The lock.json references 'academic-research-hub' which is a different skill entirely. If any tooling resolves or fetches skills based on lock.json entries, this could trigger installation of 'academic-research-hub' as a dependency — a classic dependency confusion vector.

LOW No active exfiltration vectors detected -20

The skill contains no code, no scripts, and no configuration that could exfiltrate data. However, the empty SKILL.md means there are also no explicit restrictions preventing future versions from doing so.

INFO No executable content present -10

The skill contains no executable files, no package.json, no git hooks, no submodules, and no symlinks. It is functionally inert.