Prompt Request Pipeline
WarnAudited by ClawScan on May 10, 2026.
Overview
This skill is designed to automatically change and merge GitHub code, but its trigger, credential use, and command handling are too broad for unattended use.
Install only in a tightly controlled repository. Before enabling it, fix the trigger condition, restrict who can start automation, use least-privilege GitHub credentials, require CI and human review before merges, sanitize issue-derived command arguments, and disable optional external helper execution unless reviewed and pinned.
Findings (7)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Issues that were not intentionally tagged for automation may still cause code changes, PRs, and merge attempts.
The advertised workflow says an [auto] tag triggers automation, but the template shows an empty or removed body-trigger value, making the trigger unclear and potentially matching more issues than users expect.
CHECK: Does the title start with '[auto]' OR does the body contain ''? IF YES - MANDATORY AUTO-IMPLEMENT SEQUENCE
Use an explicit, documented trigger such as a maintainer-applied label, and require a trusted author or manual approval before implementation starts.
Anyone able to influence issue or PR text may steer the agent’s repository changes.
External GitHub event content is inserted into the agent prompt and then used as the implementation plan, with no artifact-backed author whitelist or approval boundary.
Body:
{{issue.body}}{{pull_request.body}}{{check_run.output.summary}}
...
7. Read the issue requirements carefully
8. ... implement ... from the issue bodyTreat issue/PR bodies as untrusted data, restrict automation to trusted users or labels, and add a human approval step before any code-writing or merge action.
Bad or malicious changes can be pushed and merged into the target repository without independent human review.
The agent is instructed to make repository-wide commits, push branches, create PRs, review them, and merge them automatically.
10. git add -A && git commit ...
11. git push origin feature/issue-{{issue.number}}
12. gh pr create ...
...
If ALL conditions pass: gh pr merge {{pull_request.number}} --repo {{repository.full_name}} --squash --delete-branchDisable auto-merge by default, require branch protection and CI checks, and require a human maintainer review before merging.
A crafted issue title could cause unintended local shell commands to run in the repository environment.
The user-controlled issue title is interpolated into shell commands inside single quotes; a title containing quote characters could break out of the argument if run as written.
git commit -m 'feat: implement {{issue.title}} (Closes #{{issue.number}})'
...
gh pr create --title 'feat: {{issue.title}}'Sanitize or escape all templated values, avoid constructing shell commands from issue text, and pass commit/PR text through safe argument APIs or temporary files.
The skill can use whatever repository powers the authenticated GitHub account has, including pushing branches and merging PRs.
The automation operates with the local GitHub CLI and SSH credentials, but the artifacts do not define least-privilege scopes or prevent use of merge-capable account permissions.
- GitHub CLI (`gh`) authenticated - Git SSH access to target repository
Use a dedicated GitHub App or token limited to specific repositories and actions, and enforce branch protection outside the skill.
If the configured helper path or npx-resolved package is compromised, code can run in the local repository workflow.
The optional task-decomposition step can execute an external TypeScript helper through npx; this is purpose-aligned but the helper and package version are not included or pinned in the artifacts.
exec("npx tsx OMEGA_BRIDGE_PATH --issue {{issue.number}} --repo {{repository.full_name}}")Only enable omega-bridge after reviewing it, pin tool versions, and avoid npx auto-resolution in production automation.
Repository names, issue details, review summaries, or error information may be sent to the configured chat.
The sample configuration forwards automation results to Telegram, which is expected but is an external communication channel.
"deliver": true, "channel": "telegram", "to": "<your-chat-id>"
Use only trusted private chats, avoid sending secrets in issues or logs, and disable delivery for sensitive repositories if not needed.