RepoMedic
v1.0.6Safely triage and remediate GitHub dependency hygiene issues with explicit guardrails. Use when Dependabot PRs fail, pnpm lockfiles break, transitive vulnerabilities appear (e.g., glob/lodash/brace-expansion), or CI/Vercel fails due to dependency resolution. Prioritize low-risk fixes, branch+PR workflow, and plain-English explanations.
⭐ 1· 1.5k·5 current·6 all-time
byMarcus Rummler@mrummler17
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description (safe, conservative dependency remediation) aligns with the instructions and requested access (read repo, write to non-default branch, run package manager commands). One minor mismatch: the metadata declares no required binaries, but the runtime instructions explicitly rely on package manager commands (pnpm/npm/yarn). This is a small documentation inconsistency, not a security mismatch.
Instruction Scope
SKILL.md stays within scope: triage Dependabot, lockfile fixes, targeted pnpm.overrides, branch+PR workflow, and validation steps. It does not instruct the agent to read unrelated system files or exfiltrate data. Note: practical operation will require access to repo contents, CI/Vercel failure logs, and network access to package registries — those are expected for the stated tasks and are called out in the doc.
Install Mechanism
Instruction-only skill with no install spec and no code files — minimal disk/write footprint. No external downloads or package installs defined by the skill itself.
Credentials
No environment variables or credentials are declared in the metadata (appropriate). The SKILL.md does state it needs read access to the target repo and write access to non-default branches and that it will run package manager commands; these are proportional to purpose. Verify how the platform supplies repo credentials (platform-provided tokens vs. user-provided env vars).
Persistence & Privilege
always:false and user-invocable — the skill does not request permanent or elevated presence. It explicitly forbids pushing to main/master and modifying files outside the target repository, which limits privilege scope.
Assessment
This skill appears to do what it says: triage and apply low-risk dependency fixes using a branch+PR workflow. Before installing, confirm the agent/platform will: (1) grant only the repository-scoped read/write access you intend (branch-only write), (2) provide access to CI/Vercel logs if needed, and (3) have pnpm/npm/yarn available to run installs. Ask how credentials are supplied (platform token vs. environment variables) and require human approval for medium/high risk actions. Note the small inconsistency: the skill expects package-manager commands but the registry metadata lists no required binaries — verify availability of those tools in your environment. Prefer running the skill in a forked repo or protected branch so changes are visible as a PR before merging.Like a lobster shell, security has layers — review code before you run it.
automationvk9779y3s5gbj8wyd4a81bret7h8134x7dependabotvk9742krqfcs31pqn7pcvmg9gcs8120rrdependenciesvk9742krqfcs31pqn7pcvmg9gcs8120rrgithubvk9742krqfcs31pqn7pcvmg9gcs8120rrlatestvk9742krqfcs31pqn7pcvmg9gcs8120rrlockfilevk9742krqfcs31pqn7pcvmg9gcs8120rrpnpmvk9742krqfcs31pqn7pcvmg9gcs8120rrpull-requestsvk9742krqfcs31pqn7pcvmg9gcs8120rrsecurityvk9742krqfcs31pqn7pcvmg9gcs8120rrvercelvk9742krqfcs31pqn7pcvmg9gcs8120rr
License
MIT-0
Free to use, modify, and redistribute. No attribution required.