ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

GitHub Flow

v0.1.0

GitHub issue and PR workflow automation. plan-to-issue - convert plan/research MD to GitHub issue body/comments [plan-to-issue.md], pr - create PR with struc...

0· 60·0 current·0 all-time
byes6kr@drumrobot

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for drumrobot/github-flow.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "GitHub Flow" (drumrobot/github-flow) from ClawHub.
Skill page: https://clawhub.ai/drumrobot/github-flow
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Canonical install target

openclaw skills install drumrobot/github-flow

ClawHub CLI

Package manager switcher

npx clawhub@latest install github-flow
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill's stated purpose is GitHub issue/PR automation and its SKILL.md repeatedly instructs use of git and the GitHub CLI (gh) and performing authenticated actions (create/edit issues, create PRs, post comments). Yet the registry metadata lists no required binaries and no primary credential. A GitHub-integrated workflow would reasonably require git, gh, and some authenticated GitHub credential (gh auth or GITHUB_TOKEN). The absence of these declarations is inconsistent.
Instruction Scope
The SKILL.md, plan/pr/review docs instruct the agent to read plan files, construct sanitized bodies, run git/gh commands, write temporary files (e.g., /tmp/pr-review.md), and post to GitHub. All actions stay within the described domain (issues/PRs/reviews) and include explicit sanitization rules for internal paths. The instructions do not ask for unrelated system secrets or unrelated file paths, but they assume the ability to run git/gh and access the repo.
Install Mechanism
Instruction-only skill with no install spec and no code files — lowest install risk (nothing is written to disk by an installer).
!
Credentials
No environment variables or primary credential are declared, yet the workflow requires authenticated GitHub operations. This is disproportionate: either the skill should declare that it needs GH credentials (GH_TOKEN/GITHUB_TOKEN or rely on gh being logged in) and/or list git/gh binaries as requirements, or it should explicitly operate in read-only/template mode only. As written, it provides write-capable instructions without declaring necessary auth requirements.
Persistence & Privilege
The skill does not request permanent inclusion (always: false) and does not modify other skills or system-wide agent settings. Autonomous invocation is allowed (default) but not combined with other high-risk flags.
What to consider before installing
This skill appears to actually perform GitHub actions (create/edit issues, create PRs, post review comments) using git and the GitHub CLI. Before installing: 1) Confirm you want the agent to run gh/git commands that can create or modify repo data. 2) Ensure the environment provides the gh CLI and git, and that authentication is handled safely (prefer a least-privilege GitHub token or an authenticated gh session). 3) Require the agent to ask for explicit confirmation before any write action (PR/issue creation or posting comments). 4) Test in a fork or non-production repo first. 5) If you expect the skill to be read-only or only provide templates, ask the maintainer to explicitly declare that and/or to list required binaries and credentials in the metadata. Providing those declarations would resolve the main incoherence and raise confidence toward 'benign.'

Like a lobster shell, security has layers — review code before you run it.

latestvk9724h277spn07291k6w17bm4n84yrrn
60downloads
0stars
1versions
Updated 1w ago
v0.1.0
MIT-0
es6kr@drumrobot
latest
Download

GitHub Flow

Convert plans, research, and implementation results into GitHub issues and PRs.

Topics

TopicDescriptionGuide
plan-to-issueConvert plan/research MD to GitHub issue body or commentsplan-to-issue.md
prCreate PR with structured body, test plan, and optional visual attachmentspr.md
reviewReview PR code and post structured review commentsreview.md

Applicability

This skill applies automatically when git remote get-url origin contains github.com. For non-GitHub remotes (GitLab, Bitbucket, etc.), this skill does not apply.

Core Rules

1. Verification Plan Required

Every issue body and PR body must include a verification/test plan section. This is shared with code-workflow's plan step.

2. No Internal Paths in Issues/PRs

.ralph/docs/, .ralph/fix_plan.md, .omc/ and other internal working paths must never appear in GitHub issue body, comments, or PR body. These are local-only artifacts.

Instead of: "See .ralph/docs/generated/plan-180.md" Write: The actual content inline, or "See the implementation plan comment below"

3. Body vs Comment Selection

Content TypeTargetReason
Implementation plan (confirmed)Issue body updateStable reference for the issue
Checklist (impl/verify)Issue body updateTrackable via GitHub checkbox
Discussion items / open questionsIssue commentThreaded, time-stamped, doesn't clutter body
Progress updatesIssue commentChronological record
Review feedback summaryIssue commentPreserves review history

Comments

Loading comments...