ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Auto Pipeline

技能自动开发流水线(PM辅助工具)。PRD→Plan预审→Review(12维度评分)→修复(≤3轮)→发布的质量保障工具。v1.0定位PM手动调度中心。

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 38 · 0 current installs · 0 all-time installs
by@zhaog100
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
Name/description describe a PM-focused pipeline and most code matches that purpose (PRD parsing, plan review, review/fix/publish engines). However the code also (a) contains v2 spawn/agent automation primitives despite v1.0 being described as manual, (b) references unrelated external scripts (../github-bounty-hunter) and a hard-coded git remote name 'xiaomili', and (c) relies on network publishing (git push, clawhub) and 'jq'/'git'/'clawhub' CLIs while the skill metadata declares no required binaries or credentials. These are plausible features but the missing declarations and extraneous references are inconsistent with the manifest.
Instruction Scope
Runtime instructions and scripts read and write user files under $HOME/.openclaw (state, workspace, reports), parse and update PRD files in workspace/docs/products, and emit SPAWN_* prompts for agent-driven subagents. That behavior is in-scope for a pipeline tool, but the publish step will attempt to commit/push code and edit PRD files automatically — actions that materially change user repos and files and that the manifest does not explicitly call out as requiring credentials/consent.
Install Mechanism
No install spec or remote downloads are present; the skill is distributed as shell scripts and docs. That lowers the install-supply-chain risk compared to fetching code at runtime. However, sourcing or running the provided scripts will execute code on the host, so review is still necessary.
!
Credentials
The skill requires access to the user's filesystem (HOME/.openclaw workspace and PRD files) and to developer tooling (git, clawhub, jq, grep -P likely). It will perform network operations (git push to 'xiaomili' or 'origin', ClawHub publish) that rely on existing credentials, yet the skill declares no required environment variables or credentials. The mismatch means the skill could use existing git/CLI credentials unexpectedly and will attempt to push/publish without an explicit credential declaration.
Persistence & Privilege
always:false (good). The skill writes state into ~/.openclaw/pipeline and workspace report files and can modify PRD documents and git repos in the user's workspace. It does not request persistent inclusion or modify other skills' configs, but the ability to auto-commit/push and edit PRD files is a meaningful privilege and should be explicitly approved by the user.
What to consider before installing
This skill is a Bash-based PM pipeline that will read and write files under $HOME/.openclaw and your workspace, construct prompts for agent-driven subagents, and attempt to publish code (git push, ClawHub). Before installing: (1) inspect the publish functions and remove or sandbox git/clawhub calls if you don't want automatic pushes (note the hard-coded 'xiaomili' remote), (2) ensure you have backups of PRD files and a disposable workspace for testing, (3) verify you have required tools (jq, git, grep with -P/PCRE if used, clawhub) and understand which credentials those tools use, (4) run the scripts locally in a safe environment to observe side effects, and (5) be cautious about enabling any automation that spawns subagents — that expands the blast radius. The inconsistencies around undeclared binaries/credentials and auto-publishing are the primary reasons to proceed carefully.

Like a lobster shell, security has layers — review code before you run it.

Current versionv2.1.1
Download zip
latestvk972bvr2kavzqr5mpwjwd67za9839vef

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

auto-pipeline

🏆 实战集成

Bounty 批量开发流程

# 1. 扫描发现
bash ../github-bounty-hunter/scripts/bounty_quick_scan.sh

# 2. 批量开发(最多 5 个并行)
bash ../github-bounty-hunter/scripts/bounty_batch_dev.sh <owner/repo> 11,29,30 5

# 3. 批量提交 PR
bash ../github-bounty-hunter/scripts/bounty_submit_batch.sh <work_dir>

优先级策略

  • P0: >$200 + <10 评论 → 立即接
  • P1: >$100 + <20 评论 → 马上接
  • P2: >$100 + 20-50 评论 → 评估后接
  • P3: >$200 + >50 评论 → 可竞争

将PRD自动转化为可发布技能的质量保障流水线。

版本定位

版本定位状态
v1.0PM辅助工具(手动调度)✅ 当前版本
v2.0半自动化(自动spawn子代理)✅ 当前版本
v3.0全自动化(智能体协作)⬜ 远期

v1.0 功能(已发布)

📋 PRD看板管理

列出所有技能的开发状态,查看详细信息。

pipeline.sh list                          # 列出全部
pipeline.sh list --status fixing          # 按状态过滤
pipeline.sh status <skill-name>           # 查看详情

🔍 Review引擎(12维度量化评分)

对照PRD逐项检查,12维度评分,满分60分,≥50分通过。

# 在OpenClaw中执行:
source skills/auto-pipeline/src/review_engine.sh
review '{"title":"my-skill","tasks":[...]}' "my-skill" "$PWD"

🔧 修复引擎(问题清单 + 回退判断)

格式化Review问题,判断是否需要回退到Plan阶段。

source skills/auto-pipeline/src/fix_engine.sh
fix_issues "my-skill" '[{...}]' "$PWD" "$review_result"

📦 发布引擎(Git + ClawHub + PRD更新)

自动Git提交推送、ClawHub发布(含重试)、更新PRD状态、生成最终报告。

source skills/auto-pipeline/src/publish_engine.sh
publish "my-skill" "$review_result" "$PWD"

📋 Plan预审(任务声明审查)

审查任务声明的完整性、信心度评分、低信心度任务标记。

source skills/auto-pipeline/src/plan_reviewer.sh
plan_review '{"title":"my-skill","tasks":[...]}'

📄 PRD解析(PRD → 任务声明JSON)

支持结构化和自由格式PRD,提取功能清单和验收标准。

source skills/auto-pipeline/src/prd_reader.sh
prd_read "docs/products/xxx_PRD.md"

v2.0 功能(当前版本)

  • run 命令:自动spawn开发/修复子代理
  • 子代理超时处理(5分钟)+ 智能任务拆分
  • 修复循环自动化(≤3轮 + 升级给官家)
  • task_planner.sh:将PRD拆分为<5分钟的子任务

v3.0 功能(远期)

  • 双模型交叉Review(开发模型≠Review模型)
  • Baseline Delta(只检查新增代码)
  • batch 命令:并行开发(最多3个子代理)
  • 端到端全自动化(PM只需发起+确认)

PM手动工作流(v1.0推荐)

1. PM读取PRD → 使用 prd_reader 解析为任务声明
2. PM执行Plan预审 → plan_review 审查任务声明
3. PM手动开发/派发子代理开发
4. PM执行Review → review 获取12维度评分
5. 如不通过 → fix_issues 构造修复prompt → PM派发修复
6. 如通过 → publish 自动Git+ClawHub+PRD更新
7. 全程使用 list/status 跟踪进度

状态文件

存储于 ~/.openclaw/pipeline/<skill>.json

状态流转: pending → developing → reviewing → fixing → publishing → completedescalated

12维度评分

维度权重说明
PRD功能覆盖度2x每个PRD功能是否实现
运行测试1x测试通过率
代码质量1xbash -n、变量安全、错误处理
文档完整性1xSKILL.md/README.md/版权
CLI设计1x--help清晰度
错误处理1x边界情况覆盖
安全性1x输入验证、无API Key泄露
性能1x响应时间
可维护性1x代码结构清晰度
可扩展性1x是否易于添加功能
测试覆盖1x正面+负面测试
PRD一致性1x实现与PRD描述一致

满分60分,≥50分通过。

版权

MIT License | Copyright (c) 2026 思捷娅科技 (SJYKJ)

Files

24 total
Select a file
Select a file to preview.

Comments

Loading comments…