Repo Guardian
v1.4.1Automated GitHub PR review governance and repository maintenance automation. Use when reviewing pull requests with dual-model consensus, enforcing merge gate...
⭐ 0· 138·1 current·1 all-time
byCorbin Breton@corbin-breton
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The skill's name/description (automatic PR review, dual-model consensus, auto-merge, triage) aligns with what it requires: GH_TOKEN for GitHub API access, agent names to dispatch reviews, auto-merge/auto-fix and max limits. Required binaries (openclaw, python3, curl) are used by the included shell script and are appropriate.
Instruction Scope
SKILL.md and scripts explicitly fetch PR metadata, diffs and file lists and send them in prompts to configured OpenClaw agents for review (diffs truncated to 500 lines). That behavior is expected for this skill but is a privacy/data-exposure vector: repository code from open PRs will be transmitted to whatever model providers your agents are configured to use. The script avoids leaking GH_TOKEN into prompts and truncates large diffs; it also honors a 'skip-guardian' label. These protections are reasonable but you should confirm your model endpoints and retention policies.
Install Mechanism
No install spec (instruction-only plus included script). Nothing is downloaded or written by an installer; the runtime uses existing binaries. This is low-install-risk.
Credentials
Required environment variables are configuration flags and the GH_TOKEN credential needed to call the GitHub API. No unrelated credentials are requested. The documentation recommends limited scopes and differentiates read-only vs write for auto-merge—appropriate and proportionate.
Persistence & Privilege
The skill is user-invocable, not always-on. It can autonomously invoke models (platform default) and perform merges/comments when given a token and enabled flags; this matches the declared functionality. It does not request persistent elevated platform privileges or modify other skills' configs.
Assessment
This skill appears to do what it says, but before installing: 1) Use a fine‑grained GH token scoped only to the repository and only with write permissions if you enable auto-merge; leave write/remove scopes off if you only want review. 2) Be aware that PR diffs and filenames are sent to whichever model providers your OpenClaw agents use—confirm those providers, retention, and data-handling policies. 3) Test in dry-run mode and/or set GUARDIAN_AUTO_MERGE=false initially; use the 'skip-guardian' label on sensitive PRs. 4) Ensure the configured agent names (GUARDIAN_AGENT / GUARDIAN_REVIEWER_B_AGENT) map to trusted agent configurations so reviews go to the intended models. If you want further assurance, request the full (non-truncated) guardian.sh to review any truncated portions or to audit its complete merge/comment payload construction.Like a lobster shell, security has layers — review code before you run it.
latestvk97fetn4v18ghaxyna6929n52x83xfgq
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
Binsopenclaw, python3, curl
EnvGH_TOKEN, GUARDIAN_AGENT, GUARDIAN_REVIEWER_B_AGENT, GUARDIAN_REPO, GUARDIAN_AUTO_MERGE, GUARDIAN_AUTO_FIX, GUARDIAN_MAX_PRS, GUARDIAN_MAX_ISSUES
Primary envGH_TOKEN