ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

GitHub Action Generator

Generate GitHub Actions workflows from plain English. Use when setting up CI.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 1k · 5 current installs · 5 all-time installs
by@branexp
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The stated purpose — generating GitHub Actions workflows — matches the code and CLI behavior. The code (src/index.ts / dist/index.js) calls OpenAI to produce YAML and the CLI writes or prints workflow files, which is coherent with the description.
Instruction Scope
SKILL.md and the CLI usage are narrowly scoped to generating workflow YAML and optionally writing to .github/workflows/. The instructions do not instruct reading unrelated files or exfiltrating local data. Note: SKILL.md explicitly states 'Needs OPENAI_API_KEY' and the code reads process.env.OPENAI_API_KEY, so runtime requires that secret.
Install Mechanism
There is no install spec in the registry (instruction-only behavior), and the package is a normal Node CLI (package.json, dist/*). The skill does not download code from arbitrary URLs at install time. Running via npx will fetch the npm package (normal behaviour) — no high-risk remote install pattern was found in the files provided.
!
Credentials
The skill requires an OpenAI API key at runtime: src/index.ts and dist/index.js instantiate OpenAI with process.env.OPENAI_API_KEY. However the registry metadata lists no required environment variables or primary credential — an explicit mismatch. Requesting an API key is proportionate to using OpenAI, but the missing declaration is an incoherence that could confuse users about what secrets they'll need to supply.
Persistence & Privilege
The skill does not request persistent/automatic inclusion (always:false). It can write files into the repository when invoked with --install, which is expected for a workflow generator and is user-initiated; no evidence it modifies other skills or system-wide agent settings.
What to consider before installing
This tool legitimately uses the OpenAI API to generate workflow YAML, but the registry record failed to declare that requirement. Before installing or running: (1) be aware you must provide OPENAI_API_KEY — the CLI will call OpenAI with that key; use a key with minimal privileges or billing limits if possible. (2) Review the included source (src/index.ts, dist/index.js) — it shows calls to OpenAI and writes files only where requested (--install). (3) Verify the package identity (check the upstream GitHub repo URL in package.json) and npm package integrity before running npx. (4) When using --install, inspect the generated workflow YAML for secret usage, unintended credential insertion, or deployment steps that could push images or credentials. If you want to avoid exposing a production key, run it locally with a throwaway/limited key or review the code and simulate the request flow first.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.1
Download zip
latestvk97694er82q3p582r3nc70x665810768

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

GitHub Action Generator

Stop copy-pasting workflow YAML from StackOverflow. Describe what you want and get a working GitHub Actions workflow.

One command. Zero config. Just works.

Quick Start

npx ai-github-action "test and deploy on push to main"

What It Does

  • Generates complete GitHub Actions workflow files
  • Handles common patterns like test, build, deploy
  • Includes caching for faster runs
  • Supports multiple deploy targets

Usage Examples

# Test and deploy
npx ai-github-action "test and deploy on push to main"

# PR checks
npx ai-github-action "run eslint and prettier on PRs" --install

# Docker workflow
npx ai-github-action "build docker image and push to ECR" -o deploy.yml

# Scheduled job
npx ai-github-action "run database backup every night at 2am"

Best Practices

  • Use secrets - never hardcode credentials
  • Cache dependencies - saves minutes per run
  • Fail fast - run quick checks first
  • Use matrix builds - test multiple node versions

When to Use This

  • Setting up CI for a new repo
  • Adding deployment automation
  • Creating custom workflows
  • Learning GitHub Actions syntax

Part of the LXGIC Dev Toolkit

This is one of 110+ free developer tools built by LXGIC Studios. No paywalls, no sign-ups, no API keys on free tiers. Just tools that work.

Find more:

Requirements

No install needed. Just run with npx. Node.js 18+ recommended. Needs OPENAI_API_KEY environment variable.

npx ai-github-action --help

How It Works

Takes your plain English description and generates GitHub Actions YAML with the right triggers, jobs, and steps. The AI knows common patterns and best practices for different workflows.

License

MIT. Free forever. Use it however you want.

Files

12 total
Select a file
Select a file to preview.

Comments

Loading comments…