Auto Pr Merger

The skill implements the promised workflow but contains undisclosed LLM integration that searches .env files for GEMINI_API_KEY and sends repo file contents/conflict text to an external Gemini API — a potential secret/code exfiltration risk and an inconsistency with the SKILL.md/metadata.

This skill will automatically checkout PRs, run tests, attempt fixes, and merge — and it calls an external Gemini LLM to generate fixes and resolve merge conflicts. Important points before installing or running: 1) The code tries to load GEMINI_API_KEY from environment or from .env files in the workspace and parent directories — that means it can read and use secrets from nearby .env files without that being declared. 2) File contents (including failing files and conflicted files) are sent to the remote Gemini API, which could leak proprietary code or secrets. 3) SKILL.md claims fixes are 'placeholder/mock' but the code performs real LLM calls — ask the author to correct documentation. Recommended actions: run the script only in a safe/test repository (no real secrets), inspect the full index.js (you have it), and either supply a dedicated GEMINI_API_KEY with minimal scope or remove/disable LLM calls. Ask the publisher to (a) declare GEMINI_API_KEY in requires.env/primaryEnv, (b) stop searching parent directories for .env, (c) add an explicit dry-run mode and explicit confirmation before pushing/merging, and (d) document exactly what is sent to the external API. If you cannot verify these changes, do not run this against production repositories or with credentials that have push/merge rights.