ClawHub

PR Auto-Merge Agent

v1.0.0

Autonomous PR merge agent. Scans repos for approved + CI-passing PRs and merges them automatically. Supports dry-run mode, squash/merge options, and min-appr...

0· 55·0 current·0 all-time
by@lanxevo3
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The skill only uses the GitHub CLI (gh) via subprocess calls to list and merge PRs and includes a small Python script that implements the described filtering and merge behavior. No unrelated credentials, binaries, or services are requested — this aligns with the stated purpose.
Instruction Scope
Instructions are narrowly scoped to calling gh pr list and gh pr merge; the script does not read arbitrary files or environment variables. Minor issues: the GH Actions example suggests `pip install gh` (the GitHub CLI is usually installed via package managers or GitHub releases, not pip); SKILL.md and function defaults have small inconsistencies (min-approvals default documented as 1 but get_prs_to_merge has a default of 2 in its signature, though main() passes the CLI value). The script enforces only APPROVED reviewDecision, which matches the description.
Install Mechanism
No install spec is provided and the skill is instruction-only with a single, readable script. Nothing is downloaded or executed from external URLs, and included code isn't obfuscated.
Credentials
No environment variables or secrets are requested by the skill itself; it relies on the system-installed gh CLI and the user's authenticated gh session (which must have a token with repo scope). That requirement is proportionate to the task of merging PRs.
Persistence & Privilege
always is false and the skill does not request permanent or elevated platform privileges. It can be invoked by the agent (the normal default), which is expected for an automation skill that may be scheduled or called by an agent.
Assessment
This skill appears to do exactly what it says: it needs a system-installed, authenticated GitHub CLI (gh) with repo permissions and will call gh to list and merge PRs. Before enabling it: 1) Test thoroughly in dry-run mode (default) and on a non-critical repo. 2) Verify how you install the GitHub CLI — the GH Actions example recommending `pip install gh` is misleading; prefer the official gh installers or package managers. 3) Confirm the token used by gh has only the permissions you intend (repo scope is required to merge). 4) Review and adjust min-approvals and squash/merge options, and consider scheduling only for repos you trust the automation on. 5) If you plan to let an autonomous agent run this regularly, restrict which repos it can target and audit runs/logs to avoid unintended merges.

Like a lobster shell, security has layers — review code before you run it.

auto-mergevk9743mmwvr9zqd0mdfqpvcycks83sevbautomationvk9743mmwvr9zqd0mdfqpvcycks83sevbci-cdvk9743mmwvr9zqd0mdfqpvcycks83sevbgithubvk9743mmwvr9zqd0mdfqpvcycks83sevblatestvk9743mmwvr9zqd0mdfqpvcycks83sevbprvk9743mmwvr9zqd0mdfqpvcycks83sevb

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments