ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

GH Triage

Automatically scans GitHub repos to label, comment, assign, and fix issues and PRs for efficient triage and reporting.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 184 · 0 current installs · 0 all-time installs
by@gruted
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md and code require a GH_TOKEN for repo access and auto-fixing, and auto_fix.js optionally requires GIT_AUTHOR_NAME / GIT_AUTHOR_EMAIL — but the registry metadata declares no required environment variables or primary credential. This mismatch is an incoherence: a GitHub token is necessary for the skill to function but is not declared in the metadata.
!
Instruction Scope
Runtime instructions (and code) clone configured repos, run 'npm ci', run lint/format/test scripts, and commit/push changes using the provided token. Running 'npm ci' and 'npx' may execute lifecycle scripts or fetch/run code from npm or the repo itself — meaning arbitrary repo-supplied code could run on the host. The skill also embeds the token in the clone URL and performs write operations (create branch, commit, push, open PR). These behaviors go beyond passive triage and carry execution and write risks.
Install Mechanism
There is no external download/install spec; the package includes normal Node.js files and a package.json with standard dependencies (@octokit/rest, node-cron, dotenv). No arbitrary remote archive downloads or URL shorteners are used.
!
Credentials
Asking for a GitHub token is proportionate to triage and push operations, but the token is not declared in metadata and the code expects additional env vars (GIT_AUTHOR_NAME / GIT_AUTHOR_EMAIL) for commits. The skill requires a token with sufficient repo permissions (likely write access) which is powerful; the metadata should declare this and users should be advised to use least-privilege tokens. The skill also places the token into HTTPS clone URLs which can expose it in logs or git metadata if not handled carefully.
Persistence & Privilege
The skill does not request 'always: true' and does not modify other skills. It can run autonomously (default model invocation allowed), which combined with an over-privileged GH token increases blast radius — but autonomous invocation alone is expected for skills.
What to consider before installing
This skill does what it says (triage and automatic small fixes) but be cautious: the code requires a GH_TOKEN (not declared in registry metadata) and will clone repos, run 'npm ci'/'npx' and other commands that can execute code from the target repository or its dependencies. Before installing, do the following: 1) only supply a least-privilege GitHub token (limit to specific repos and to the narrowest scopes needed; if you don't want pushes/PRs, use a read-only token); 2) run the skill in an isolated environment (container or sandbox) because it executes repo code; 3) inspect and verify the skill's code and the repositories you configure; 4) consider disabling or carefully reviewing the auto-fix behavior (commits/pushes) until you trust the environment and token handling; and 5) prefer storing secrets in your host secret store rather than plaintext env files. The metadata inconsistencies (undeclared env vars and use of config.example.json instead of configurable config.json) are additional warnings — treat this as a prototype that needs hardening rather than a drop-in safe tool.

Like a lobster shell, security has layers — review code before you run it.

Current versionv0.1.0
Download zip
automationvk9781wb9ezrwc8mdkdz9dfz9ex82drtsgithubvk9781wb9ezrwc8mdkdz9dfz9ex82drtslatestvk9781wb9ezrwc8mdkdz9dfz9ex82drts

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

gh-triage

Proactive GitHub issues/PR triage and lightweight fixes.

What it does

  • Periodically (cron) scans configured repositories for new issues and PRs
  • Labels, comments, and assigns based on simple rules (area labels, needs-info, triage-needed)
  • Can apply small fixes automatically (typo fixes, formatting, missing issue templates) when enabled
  • Emits a report and creates follow-up tasks for maintainers

Files

  • index.js — main skill entrypoint (node)
  • package.json — dependencies and scripts
  • SKILL.md — this file
  • config.example.json — configuration template for repos, tokens, rules

Security

  • Requires a GitHub token with repo access. Keep secrets out of the repo; provide via environment variables or the host secret store.

Usage

  • Install by placing the folder in workspace/skills and follow project conventions
  • Configure repos and rules in config.json (copy config.example.json)
  • Run with: node index.js or integrate with OpenClaw skill loader

License: MIT

Files

5 total
Select a file
Select a file to preview.

Comments

Loading comments…