Is glucksberg/pr-review safe?

https://github.com/openclaw/skills/tree/main/skills/glucksberg/pr-review

91
SAFE

glucksberg/pr-review is a legitimate, well-constructed PR review skill with no malicious instructions, no exfiltration mechanisms, and no executable code. Sensitive file accesses observed in the monitoring telemetry are attributable to the oathe monitoring framework (pre-install timing, post-install canary check pattern) rather than the skill, and all canary files remain intact. The primary risks are inherent to the tool's stated design: autonomous code modification via Edit/Write tools and ingestion of project configuration files that could serve as a secondary prompt injection vector against the skill's own sub-agents.

Category Scores

Prompt Injection 92/100 · 30%
Data Exfiltration 90/100 · 25%
Code Execution 88/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 80/100 · 5%

Findings (7)

LOW Secondary injection surface via project CLAUDE.md ingestion -5

Step 2 instructs a Haiku agent to read root CLAUDE.md and directory-level CLAUDE.md files from the target project. If an attacker has planted adversarial instructions in a project's CLAUDE.md, the review sub-agents could be hijacked to misreport findings, suppress real vulnerabilities, or apply malicious 'fixes'. This is a risk against the skill's operation, not malicious behavior by the skill itself.

INFO Development session metadata in plugin CLAUDE.md files -3

Both plugins/pre-review/CLAUDE.md and plugins/pre-review/commands/CLAUDE.md contain blocks with session history tables generated by a 'claude-mem' memory tool. These are benign development artifacts with no instructions directed at an agent consuming the skill.

INFO Canary file accesses attributed to monitoring framework, not skill -10

Inotifywait and auditd PATH records show reads of .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and gcloud credentials. The first batch (09:46:28) precedes skill installation by ~5 seconds. The second batch (1771926410.914) lacks a corresponding skill-process EXECVE and matches the monitoring framework's post-install canary integrity check pattern. All canary files confirmed intact.

LOW Autonomous code modification via Edit/Write tools -8

The skill auto-applies code fixes for issues scoring >= 70 (diff mode) or >= 80 (audit mode) without per-fix user confirmation. While thresholds reduce false-positive fixes and the behavior is fully disclosed, users should be aware that running /pr-review may silently modify source files.

INFO High agent parallelism — 5 Sonnet + multiple Haiku agents per invocation -4

Each invocation of /pr-review spawns 5 Sonnet general-purpose agents and 2-3 Haiku agents. This is resource-intensive and may have cost implications but is accurately described in the README and SKILL.md.

LOW Auto-fix autonomy without per-change confirmation -10

The skill modifies files autonomously up to the stated confidence threshold. In edge cases where the AI misjudges confidence, correct code could be altered. The 'Never auto-fix issues requiring architectural changes' and 'be conservative' guidelines partially mitigate this.

LOW Sub-agent injection risk from malicious project configuration files -10

Beyond CLAUDE.md, the skill reads .eslintrc, .prettierrc, tsconfig.json, CONTRIBUTING.md, and package.json. Adversarial content injected into any of these files could influence sub-agent behavior during review. The risk is identical to any LLM-powered tool that ingests project config files.