Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md clearly expects to run git and the GitHub CLI (gh) and to execute repository scripts (scripts/automerge, scripts/massageprs, scripts/ensure-workflow-docs). The registry metadata lists no required binaries or credentials — that mismatch is incoherent. A PR automation skill legitimately needs git/gh and possibly CI/GitHub credentials, so the manifest should declare them.
Instruction Scope
Runtime instructions instruct the agent to: determine repo root, run repo-local scripts (including a fallback from $HOME), run gh pr view/checks/merge/list, and update docs/SESSION-BOOTSTRAP.md. Executing repo-provided scripts (or a script in $HOME) can run arbitrary code and perform actions outside the narrow task, so the instructions broaden scope beyond mere API calls. The steps are coherent with PR automation but grant broad discretion to execute repository code.
Install Mechanism
This is an instruction-only skill with no install spec or code files; that is the lowest-risk install mechanism. Nothing is downloaded or written by the skill itself.
Credentials
The skill declares no required environment variables, but it will invoke gh which uses the system's GitHub CLI authentication (gh auth) or environment tokens. That is expected for a GitHub automation tool, but the manifest should state the dependency on authenticated gh/git and document what credentials/scopes are needed. The skill does not request unrelated secrets.
Persistence & Privilege
always:false and no install hooks are present. The skill does not request persistent, cross-agent privileges. It will modify repository files (docs/SESSION-BOOTSTRAP.md) which is within the repo scope.
What to consider before installing
Before installing or enabling this skill: (1) Confirm the host has git and the GitHub CLI (gh) available; the skill expects them even though the manifest does not declare them. (2) Inspect the repository scripts referenced (scripts/automerge, scripts/massageprs, scripts/ensure-workflow-docs) and any script at $HOME/ai_code/study_peter/scripts — they will be executed and can run arbitrary commands. (3) Understand which GitHub credentials/gh auth are used and restrict their scopes (use a least-privilege token or run in a test/fork environment). (4) Test the skill on a non-critical repository or a fork to confirm behavior. (5) Prefer the author update the manifest to list required binaries (git, gh) and document required auth scopes and exact file paths to avoid hidden execution of unexpected scripts. If you cannot review the scripts or do not trust them, do not run this skill with an account that has merge permissions.Like a lobster shell, security has layers — review code before you run it.
latest
Peter PR Ops
30 秒简介
用于“把 PR 处理完”。
默认优先复用仓库脚本:
- 单 PR:
scripts/automerge - 批量 PR:
scripts/massageprs
脚本缺失时,优先补齐脚本;补齐失败再回退到 gh 命令流。
适用场景
- 用户提到“合并这个 PR”“批量清理 PR”“自动处理评论与 CI”
执行步骤
- 识别处理模式:
- 单 PR:串行盯到结果
- 多 PR:批量配置自动合并
- 优先脚本路径:
scripts/automerge <pr>
scripts/massageprs <pr1> <pr2>
- 脚本缺失时优先补齐(再重试第 2 步):
repo_root="$(git rev-parse --show-toplevel 2>/dev/null || pwd)"
if [ -x "$repo_root/scripts/ensure-workflow-docs" ]; then
"$repo_root/scripts/ensure-workflow-docs" all
elif [ -x "$HOME/ai_code/study_peter/scripts/ensure-workflow-docs" ]; then
"$HOME/ai_code/study_peter/scripts/ensure-workflow-docs" all
else
echo "ensure-workflow-docs not found"
fi
- 回退路径(补齐失败或不可用时):
- 单 PR(默认 squash):
gh pr view <pr> --json number,state,mergeStateStatus
gh pr checks <pr>
gh pr merge <pr> --auto --squash
- 批量 PR(默认不 squash,便于并发收口):
gh pr list --author "@me" --state open --json number --jq '.[].number'
gh pr merge <pr> --auto --merge
- 输出结果:
- 已完成合并
- 仍在等待 CI
- 被阻塞(含原因)
- 是否已刷新
docs/SESSION-BOOTSTRAP.md(Last Updated+Last Merge Baseline)
护栏
- CI 红灯不强合。
- 单 PR 默认 squash(与 Peter 的
/automerge习惯一致)。 - 批量模式默认不强制 squash,避免破坏已有历史策略。
- 合并完成后,默认刷新一次
docs/SESSION-BOOTSTRAP.md时间戳与 merge 基线。 - 每次只报告可执行下一步,不输出空泛状态。
Comments
Loading comments...