ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Azure Dev Skill

Create pull requests in Azure DevOps repositories. Use when the user wants to open, draft, or create a PR in Azure Repos.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 74 · 0 current installs · 0 all-time installs
bySatsuki Reikaa@reiisky
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description, README, SKILL.md, and the bundled Node script all align: they call the Azure DevOps REST API to create pull requests. The API endpoint used (dev.azure.com) and required inputs (org, project, repo, source/target branches, title, PAT) are appropriate for the stated functionality.
!
Instruction Scope
The SKILL.md instructs the agent to run the bundled Node script (good and scoped) but also contains a vague line: 'Prefer using environment variables ... Otherwise, ask the user securely or run a command to fetch them if instructed.' That gives the agent open-ended discretion to run commands to 'fetch' credentials or other data from the environment/workspace, which is broader than necessary for the task and could lead to accidental credential disclosure if not constrained.
Install Mechanism
No install spec; the skill is instruction-only with a bundled script (no downloads or external installers). This is low-risk from an installation perspective — nothing is fetched from arbitrary URLs and the script is small and readable.
!
Credentials
The SKILL.md expects AZURE_DEVOPS_ORG, AZURE_DEVOPS_PROJECT, AZURE_DEVOPS_REPO, and AZURE_DEVOPS_PAT (PAT) and the script reads those env vars if arguments are not supplied. However, the skill metadata lists no required environment variables or primary credential. The mismatch means the platform may not surface that a PAT is needed, and the ambiguous guidance about 'running a command to fetch them' increases the risk of credential exposure.
Persistence & Privilege
always is false and the skill does not request persistent system-wide changes or modification of other skills. Autonomous invocation is allowed (platform default) but not combined with high privileges here.
What to consider before installing
This skill appears to do exactly what it says (create Azure DevOps PRs) and its Node script is small and readable, but take these precautions before installing: - Expect to provide a Personal Access Token (PAT) with Code Read & Write scope. Prefer setting it in environment variables (AZURE_DEVOPS_PAT) rather than pasting in chat. Verify how the platform will prompt you for secrets. - The SKILL.md's phrase about 'running a command to fetch them' is vague — confirm the agent will not search your filesystem or run arbitrary commands to find credentials. If possible, configure the PAT in the environment or provide it interactively for the single action. - Review the bundled scripts locally: run the create_pr.mjs yourself with a throwaway/test PAT to confirm behavior and outputs. The script only contacts dev.azure.com and does not exfiltrate data elsewhere, but you should validate this in your environment. - Ensure your Node version supports global fetch (Node 18+), or run the script in an environment where node fetch is available. If you are uncomfortable with the agent having any discretion to run commands to 'fetch' credentials, do not install or limit the skill to manual invocation only.
scripts/create_pr.mjs:19
Environment variable access combined with network send.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
0.0.1vk97055zv8wcabg1yyjbg12d09d831zemlatestvk97055zv8wcabg1yyjbg12d09d831zem

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Azure DevOps PR

Overview

This skill allows you to create pull requests in Azure DevOps Repositories via the Azure DevOps REST API. It uses a bundled script to make the API call correctly using Personal Access Tokens (PAT).

Usage Requirements

Before creating a PR, you need to gather or infer the following information:

  1. Organization: The Azure DevOps organization name.
  2. Project: The Azure DevOps project name.
  3. Repository: The repository name or ID.
  4. Source Branch: The branch containing the changes (e.g., feature-branch).
  5. Target Branch: The branch to merge into (e.g., main).
  6. Title: The title of the pull request.
  7. Description: (Optional) Details about the changes.
  8. PAT (Personal Access Token): A token with Code (Read & Write) scope. NEVER output the PAT to the user in plain text.

Note on credentials: Prefer using environment variables (AZURE_DEVOPS_ORG, AZURE_DEVOPS_PROJECT, AZURE_DEVOPS_REPO, AZURE_DEVOPS_PAT) if they are available in the workspace. Otherwise, ask the user securely or run a command to fetch them if instructed.

Execution

Use the bundled Node.js script to create the pull request. Ensure you execute it using node.

node ${skill.dir}/scripts/create_pr.mjs \
  --org "ORG_NAME" \
  --project "PROJECT_NAME" \
  --repo "REPO_NAME" \
  --pat "PERSONAL_ACCESS_TOKEN" \
  --source "source-branch" \
  --target "target-branch" \
  --title "My Pull Request Title" \
  --description "Description of changes" \
  [--draft]

Script Arguments:

  • --org: Your Azure DevOps organization name.
  • --project: Your Azure DevOps project name.
  • --repo: Your repository name.
  • --pat: Your Personal Access Token.
  • --source: The branch to merge from (e.g., feature-branch).
  • --target: The branch to merge into (e.g., main).
  • --title: The title for the PR.
  • --description: Optional. The markdown description for the PR.
  • --draft: Optional. Pass this flag to create the PR as a draft.

Example execution:

node ${skill.dir}/scripts/create_pr.mjs --org "my-org" --project "my-project" --repo "my-repo" --pat "$AZURE_PAT" --source "feature/add-auth" --target "main" --title "Add Authentication" --description "Adds JWT auth mechanism."

Handling Errors

  • 401 Unauthorized: The PAT is missing, invalid, or expired.
  • 404 Not Found: The organization, project, or repository may be incorrect.
  • 400 Bad Request: Likely invalid branch names. The script automatically prefixes branches with refs/heads/ if missing, but ensure the source branch exists on the remote and has pushed changes.

Files

3 total
Select a file
Select a file to preview.

Comments

Loading comments…