Prompt Request Pipeline
GitHub Issue → auto-implement → PR → review → auto-merge pipeline. Write an Issue with [auto] tag, and the pipeline handles everything: task analysis, implem...
MIT-0 · Free to use, modify, and redistribute. No attribution required.
⭐ 0 · 346 · 1 current installs · 1 all-time installs
byShunsuke Hayashi@ShunsukeHayashi
MIT-0
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims to automate GitHub workflows and the runtime instructions do exactly that (clone, branch, edit, commit, push, create PR, review, merge). However the SKILL metadata declares no required credentials or config, while the doc explicitly requires GitHub CLI authentication, SSH write access, an OpenClaw hooks token/endpoint, and a webhook — this mismatch between declared requirements and actual needs is incoherent and materially important.
Instruction Scope
The SKILL.md instructs the agent to perform potentially destructive repository actions (clone repos, run tests, edit code, commit, push, create PRs, and auto-merge) and to read arbitrary files inside the repo (other agents' AGENTS.md, other skills' SKILL.md). It also contains forceful 'You MUST execute' wording that removes human-in-the-loop discretion. Those actions are within the stated purpose but grant broad write/read access to repository contents and could produce unintended changes if misconfigured.
Install Mechanism
No install spec or external binary downloads are included in the skill bundle (instruction-only). That minimizes supply-chain risk from the skill package itself.
Credentials
The runtime requires sensitive capabilities (GitHub CLI auth and SSH push rights, webhook secret for OpenClaw, access to a working directory where repos are cloned) but the skill metadata lists no required environment variables or primary credential. The messageTemplate also sets allowUnsafeExternalContent=true and sends output to an external channel (telegram). These implicit/undeclared requirements and permissive delivery settings increase risk and are disproportionate to what the package declares.
Persistence & Privilege
The skill is not marked always:true and doesn't request persistent platform privileges, but it instructs autonomous modification of external repositories (push/PR/merge) when invoked. Autonomous invocation combined with the above undeclared credential assumptions raises operational risk — consider restricting invocation scope and requiring manual approvals.
What to consider before installing
This skill will automatically clone repositories, modify code, commit, push, create PRs, review, and merge — so before installing: 1) Recognize that the SKILL.md assumes GitHub CLI auth, SSH write access, and an OpenClaw webhook token/endpoint even though the skill metadata lists no required credentials — treat those as required and only grant minimal-scoped credentials (deploy key or fine-scoped PAT) on a test repo first. 2) The message template sets allowUnsafeExternalContent=true and delivers to an external channel (telegram); avoid exposing secrets in what the agent posts and restrict destination channels. 3) The instructions say 'MUST execute' — prefer adding a mandatory manual-approval step (or a staging repository) to prevent unintended writes. 4) Test thoroughly in a sandbox repository with limited access and CI protections enabled (branch protection rules, required reviews) before enabling on real repos. 5) Consider removing or auditing any references that let the agent read other skills/agent files if those repositories may contain secrets. If you want, provide the maintainer contact or a provenance/source URL — lack of a homepage/source reduces transparency and increases risk.Like a lobster shell, security has layers — review code before you run it.
Current versionv1.0.0
Download ziplatest
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
SKILL.md
Prompt Request Pipeline
Issue を書くだけで、自動実装 → PR → レビュー → マージまで全自動で回るパイプライン。
Overview
[auto] Issue 起票
→ 🚀 実装開始コメント
→ Phase A: タスク分解(Omega-bridge or Issue本文)
→ 📋 分析完了コメント
→ Phase B: 実装 + テスト
→ ✅ 実装完了コメント
→ Phase C: commit → push → PR作成
→ 🔗 PR作成コメント
→ 自動レビュー → 自動マージ → Issue close
Prerequisites
- OpenClaw Gateway running with hooks enabled
- GitHub CLI (
gh) authenticated - Git SSH access to target repository
- GitHub Webhook pointing to OpenClaw hooks endpoint
Setup
1. Register GitHub Webhook
On your GitHub repo → Settings → Webhooks → Add webhook:
- Payload URL:
https://<your-openclaw-endpoint>/hooks/github - Content type:
application/json - Secret: Your OpenClaw hooks token
- Events: Select individual events:
- Issues
- Pull requests
- Pull request reviews
- Check runs
- Issue comments
- Push
2. Configure OpenClaw hooks
Add this to your openclaw.json under hooks.mappings:
{
"match": { "path": "github" },
"action": "agent",
"name": "GitHub",
"sessionKey": "hook:github:{{repository.name}}:{{headers.x-github-event}}:{{issue.number}}{{pull_request.number}}{{check_run.id}}",
"messageTemplate": "<see templates/messageTemplate.txt>",
"deliver": true,
"allowUnsafeExternalContent": true,
"channel": "telegram",
"to": "<your-chat-id>",
"model": "anthropic/claude-opus-4-6",
"thinking": "high",
"timeoutSeconds": 900
}
3. Set working directory
In the messageTemplate, replace the working directory path:
WORKDIRvariable: where repositories are cloned (e.g.,C:\Users\you\Devor/home/you/dev)
4. (Optional) Omega-bridge
If you have Miyabi's omega-bridge for SWML-based task decomposition:
- Set the path to
omega-bridge.tsin the messageTemplate - If not available, the pipeline falls back to implementing directly from Issue body
Usage
Basic: Create an [auto] Issue
Title: [auto] Add utility function X
Body:
## Requirements
- Create scripts/x.sh with function do_x()
- Add tests in tests/test-x.sh
## Acceptance Criteria
- Function returns expected output
- Tests pass
Advanced: With agent personality
Title: [auto] [content] Write article about Y
Body:
Read agents/content-agent/AGENTS.md and SOUL.md first.
Follow the rules defined there.
## Topic
...
## Output
- File: articles/y.md
- Word count: 6000
Advanced: With skill reference
Title: [auto] Generate report with weather data
Body:
Read skills/weather/SKILL.md for API usage.
## Requirements
...
How It Works
Issue Events (action=opened)
- Early exit check: If action is closed/labeled/etc → 1-line reply, stop
- [auto] check: Title starts with
[auto]or body contains<!-- auto-implement --> - Phase A: Task decomposition (omega-bridge or direct)
- Phase B: Implementation (branch, code, test)
- Phase C: Integration (commit, push, PR)
- Progress comments posted at each phase
PR Events (action=opened/synchronize)
- Skip bot senders (loop prevention)
- Diff review for quality/security
- Auto-merge if ALL conditions met:
- PR title contains
[auto]or branch starts withfeature/issue- - Review is LGTM
- CI checks pass (or empty = pass)
- No merge conflicts
- PR title contains
Safety Rules
- Never force push
- Never push directly to main
- Never run permission commands (icacls/chmod/chown)
- Max 3 CI fix retries per PR
- Bot sender events are skipped
Configuration Options
| Option | Default | Description |
|---|---|---|
model | claude-opus-4-6 | Model for hook sessions |
thinking | high | Thinking level |
timeoutSeconds | 900 | Max execution time (15 min) |
deliver | true | Send results to chat |
channel | telegram | Delivery channel |
Performance (measured)
| Metric | Before optimization | After optimization |
|---|---|---|
| close/push events | 8-12 min, ~500 tokens | 3 sec, ~15 tokens |
| [auto] Issue → merged PR | N/A (stuck) | ~5 min |
| Full pipeline (Issue → merge) | N/A | ~5 min |
Tips
- Keep Issues small: 1 Issue = 1 clear deliverable, ≤300 lines of diff
- Be specific: The quality of the Issue body directly determines output quality
- Use templates: Create Issue templates for recurring task types
- Reference skills: Point the agent to relevant SKILL.md files for domain knowledge
- Reference agent definitions: Store AGENTS.md/SOUL.md in the repo for consistent behavior
Files
6 totalSelect a file
Select a file to preview.
Comments
Loading comments…