when-reviewing-github-pr-use-github-code-review
Warn
Audited by Socket on Jun 26, 2026
1 alert found:
AnomalyAnomalySKILL.md
LOWAnomalyLOW
SKILL.md
SUSPICIOUS: the overall purpose is coherent for a GitHub PR review skill, and the main external tools appear same-publisher and plausibly official. However, risk is elevated by unpinned `npx @alpha` execution, opaque local shell scripts, and the combination of processing untrusted PR content with the ability to post comments/labels back to GitHub. No clear evidence of credential harvesting or malicious exfiltration is present, so this is not malware, but it is a medium-risk skill that should be reviewed with the referenced scripts and auth/data paths before use.
Confidence: 81%Severity: 58%
Audit Metadata