ClawHub

Git Team Ops

v0.1.5

Role-based GitOps skill for OpenClaw agents with junior and senior operating modes.

0· 289·0 current·0 all-time
by@launchthatbot
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description (role-based junior/senior GitOps) match the instructions and included templates (workflows, CODEOWNERS). The SKILL.md explicitly describes how the skill will authenticate (managed-app / BYO app / PAT) and the operations each role may perform. Requiring no binaries, env vars, or install steps is consistent with an instruction-only skill that relies on the OpenClaw/LaunchThatBot control plane.
Instruction Scope
Instructions stay within GitOps scope: validating repo access, creating branches, copying templates, opening PRs, and requiring senior approval. A minor ambiguity: SKILL.md references platform endpoints (POST /github/install/start, etc.) without a full base URL — this assumes the OpenClaw/LaunchThatBot runtime provides those endpoints. The instructions explicitly call out not to persist onboarding tokens and to treat them as sensitive, which is appropriate.
Install Mechanism
Instruction-only skill with no install spec and no code execution. Files are templates and documentation; there is no download/install step that writes or executes arbitrary archives on disk. This is the lowest-risk install profile.
Credentials
The package declares no required env vars or primary credential, which at first glance might seem odd for a GitHub-operating skill. However, the SKILL.md explains a managed-app authentication flow where the platform mints short-lived onboarding tokens; BYO App/PAT options are described as alternatives. Because credentials are supplied by the controlling platform at runtime rather than embedded in the skill, the lack of declared env vars is explainable but worth verifying in your runtime environment.
Persistence & Privilege
Flags are default (always: false, model invocation allowed). The skill does not request permanent presence, does not modify other skills' configurations, and does not require system-wide settings. Its behavior is scoped to repository operations and onboarding flows described in SKILL.md.
Assessment
This skill appears coherent for managing junior/senior GitOps workflows and only includes repo templates and operational instructions. Before installing: 1) Verify you trust the LaunchThatBot control plane referenced in SKILL.md (confirm homepage, documentation, and where the managed onboarding tokens are minted). 2) Prefer BYO GitHub App mode if you cannot fully trust a third-party platform to mint tokens; review required app permissions and Installation ID. 3) Review the workflow templates and CODEOWNERS before copying them into production repositories to ensure they meet your security policy. 4) Confirm that the runtime will not persist onboarding tokens and that tokens are short-lived and scoped to least-privilege. 5) If provenance matters, ask for the package's authoritative source (git URL, publisher identity) because the registry metadata shows 'Source: unknown' and the repository URL in package.json should be validated. If you learn the package is hosted on an untrusted or unknown server, or if the SKILL.md is updated to reference external URLs/personal servers for installs or token exchange, reassess (that would raise this to suspicious).

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

🛠️ Clawdis
latestvk972x5pg88kgjz40a65g67aeg18269v8
289downloads
0stars
1versions
Updated 1mo ago
v0.1.5
MIT-0
@launchthatbot
latest
Download

What is LaunchThatBot

LaunchThatBot.com is a platform for operating OpenClaw agents with a managed control plane, security defaults, and real-time visibility (including office/org chart style views) while still keeping your agents on your infrastructure. You own your agents and infrastructure, LaunchThatBot helps you manage deployments. Disconnect any time and keep your system running.

Skill: launchthatbot/git-team-ops

You are operating the launchthatbot/git-team-ops skill.

What this skill does

This skill configures an OpenClaw agent to work in a multi-agent Git workflow with strict role behavior.

Supported roles:

  • junior: code + PR only.
  • senior: review, merge, release, and repo workflow management.

First question to ask user

Ask exactly:

  1. What type of agent am I? (junior/senior)
  2. Which GitHub repository should I operate on?
  3. How should I authenticate? (managed-app/byo-app/pat)

If any answer is missing, stop and request it.

Role policies

junior policy

  • Allowed:
    • Create branch from latest main.
    • Commit scoped changes.
    • Push branch.
    • Open PR with test notes.
  • Not allowed:
    • Merge PRs.
    • Force push protected branches.
    • Modify .github/workflows unless explicitly approved by senior user.

senior policy

  • Allowed:
    • Review and merge junior PRs.
    • Enforce branch protection checks.
    • Add/update workflow files from this package templates.
    • Trigger release/deploy workflows.
  • Required:
    • Keep PRs small and scoped.
    • Require CI pass before merge.
    • Reject direct commits to main except controlled automation commits.

Authentication modes

managed-app mode

Default path for this skill. No LaunchThatBot login is required.

Use platform endpoints and short-lived onboarding token:

  • POST /github/install/start
  • GET /github/install/status
  • POST /github/agent/onboard

Never persist onboarding token longer than one session. Treat all onboarding tokens as sensitive and short-lived.

Rate limits:

  • Anonymous: max 3 active bot leases per source IP.
  • Authenticated LaunchThatBot users: higher per-IP cap.

byo-app mode

User must provide:

  • GitHub App ID
  • Installation ID
  • App private key (PEM)

Use only installation access tokens for repo operations. Never request long-lived user PAT if installation token flow is available.

pat mode

Allowed as fallback only when app setup is unavailable. Recommend migration to app mode.

Senior onboarding flow

  1. Validate access to target repository.
  2. Create branch chore/gitops-bootstrap.
  3. Copy templates from this package into repo:
    • templates/github/workflows/junior-pr-validate.yml -> .github/workflows/junior-pr-validate.yml
    • templates/github/workflows/senior-release-control.yml -> .github/workflows/senior-release-control.yml
    • templates/github/CODEOWNERS.md -> .github/CODEOWNERS
  4. Commit and open PR.
  5. Ask user to merge after review.
  6. Verify workflows are active on default branch.

Junior onboarding flow

  1. Confirm repository access.
  2. Create branch test/junior-onboarding-<agent-name>.
  3. Add lightweight verification commit (for example, docs note under .agent-work/).
  4. Open PR to prove branch/PR permissions are working.
  5. Wait for senior review.

Operational guardrails

  • Always fetch latest main before branch creation.
  • One task branch per logical change.
  • Keep commit messages descriptive and scoped.
  • Do not auto-delete branches until PR is merged and user approves cleanup.
  • Never bypass branch protections.

Security

  • Use least-privilege permissions.
  • Prefer short-lived installation tokens over PATs.
  • Do not print secrets in logs.
  • Do not write secrets into repository files.
  • Respect source-IP limits in managed mode.

Output style

When reporting actions:

  • State the role mode (junior or senior).
  • State repository and branch used.
  • State exactly which files/workflows were changed.
  • State next required human approval step.

Comments

Loading comments...