github-pr-workflow

[Skill Scanner] Backtick command substitution detected The material documents a legitimate GitHub PR automation workflow using local Git and the official GitHub CLI. I found no evidence of covert malicious activity (no obfuscated payloads, no hardcoded credentials, no suspicious external endpoints). The main issues are operational security risks: defaulting to automatic merging and branch deletion, and recommending force-push in conflict resolution. If deployed, ensure least privilege for the account/runner, require review/CI gates before auto-merge, disable force-push guidance on shared branches, and validate the actual script file for any hidden actions not present in this documentation. LLM verification: This skill is functionally consistent with its stated purpose (automating PR creation, checking conflicts, and merging via GitHub CLI). It does not contain clear indicators of malware or credential exfiltration. Primary risks are operational: automating gh auth/install flows, defaulting to auto-merge and branch deletion, and recommending force-push after conflict resolution. Those behaviors can cause destructive changes or bypass review/branch-protection policies if used without safeguards. Reco