ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Ci Failure Fixer

v1.0.0

Monitor GitHub Actions CI pipelines for failures and automatically fix common issues. Use when asked to watch CI, fix build failures, monitor GitHub Actions,...

0· 97·0 current·0 all-time
by@danielgrobelny

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for danielgrobelny/ci-failure-fixer.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Ci Failure Fixer" (danielgrobelny/ci-failure-fixer) from ClawHub.
Skill page: https://clawhub.ai/danielgrobelny/ci-failure-fixer
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install ci-failure-fixer

ClawHub CLI

Package manager switcher

npx clawhub@latest install ci-failure-fixer
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill claims to detect and automatically fix GitHub Actions failures and to push fixes. The packaged script (scripts/check-ci-failures.sh) only discovers failed runs and reports them; there is no implementation of automated modification/commit logic in the repository. SKILL.md and references/fix-patterns.md describe running npm/eslint/playwright and committing changes — which would require local repo clones, git access, node tooling, and push permissions — but these required capabilities are not declared in the skill metadata (no required binaries, no required env, no credential declared). This is an incoherence: either the skill will only report failures (safe-ish) or the agent is expected to execute potentially destructive repo-modifying commands (high privilege) — the package doesn't make which of these will actually happen explicit.
!
Instruction Scope
Instructions direct the agent to read logs (gh run view), match against error patterns, and 'auto-fix if safe' by running commands like npm install, eslint --fix, or updating snapshots and pushing commits. They also recommend running as a cron job and rely on environment variables (GITHUB_OWNER, CI_REPOS, CI_STATE_FILE) that are not enumerated in the skill's declared requirements. The phrasing gives broad discretion to the agent ('auto-fix if safe' and 'TRY fix, push if confident'), which is open-ended and could lead to unintended code changes or excessive repo access unless human approval and strict safeguards are enforced.
Install Mechanism
No install spec — instruction-only plus a small script — so nothing is downloaded or installed by the skill itself. This minimizes supply-chain/install risk. However, runtime relies on external tooling (gh, python3, git, npm/node, eslint, playwright) that are not managed by an installer here.
!
Credentials
Metadata declares no required environment variables or primary credential, but SKILL.md and the script require gh CLI authentication and optional env vars (GITHUB_OWNER, CI_REPOS, CI_STATE_FILE). More importantly, auto-fix behaviors described would require push/write permissions to repositories (a GitHub token or gh-authenticated user with repo write access). These sensitive permissions are not listed or scoped, and auto-discovery of 'all repos' risks operating across many repositories the account can access. The skill also writes a state file under $HOME (~/.openclaw/workspace/memory/ci-check-state.json) without declaring that file access in metadata.
Persistence & Privilege
always:false (good). The skill is allowed to be invoked autonomously (platform default), which combined with the instructions to auto-fix and push code increases blast radius. The script writes a state file into the user's home workspace, and the skill is intended to run on a cron schedule. Those are moderate privileges for this purpose but are not excessive by themselves — the real risk is autonomous code changes/pushes described elsewhere in the instructions.
What to consider before installing
This skill is ambiguous: the script only discovers and reports failed CI runs, but the prose and reference file instruct the agent to run commands that modify repositories and push commits (npm install, eslint --fix, update snapshots, git commit/push). Before installing or enabling this skill, consider the following: - Assume the agent will need a GitHub-authenticated 'gh' session with write access to repos to perform the described auto-fixes. If you enable it, restrict the token/account to only the specific repos it should touch (use a PAT scoped to specific repositories rather than a broad user token). - Limit CI_REPOS to a small test repository or mirror first; do not rely on auto-discovery of 'all repos' while testing. - Require a human-in-the-loop: prefer dry-run or require explicit confirmation before any commit/push. The skill's language gives broad discretion to 'auto-fix if safe' which can lead to unintended code changes. - Review references/fix-patterns.md and the exact commands the agent would run; test them locally on a clone to see their effects. - If you want only monitoring (no auto-fix), use the script as-is but disable or remove any automation steps that perform git commit/push or modify source files. Because of the undeclared credential needs, auto-push capability, and open-ended instructions, treat this skill as suspicious until you can enforce tight scoping and human approval policies.

Like a lobster shell, security has layers — review code before you run it.

latestvk972vjrv62dh5tdaz0wpe954sh83g7zr
97downloads
0stars
1versions
Updated 1mo ago
v1.0.0
MIT-0
@danielgrobelny
latest
Download

CI Failure Fixer

Monitor GitHub Actions for failures. Auto-fix what's fixable, report what's not.

How It Works

  1. scripts/check-ci-failures.sh polls repos for new failed runs
  2. If failures found → read build logs via gh run view --log
  3. Match error against known patterns → auto-fix if safe
  4. Push fix → wait 90s → verify build passes
  5. Report results (fixed or diagnosis-only)

Quick Start

On-demand

bash scripts/check-ci-failures.sh

Output: OK (no failures) or FAILURES with details.

As Cron Job (OpenClaw)

Set up a cron that runs every 30 minutes:

  • Script: bash scripts/check-ci-failures.sh
  • Model: Haiku (cheap, sufficient)
  • On failure: Read logs, attempt auto-fix, report

Configuration

Environment variables:

  • GITHUB_OWNER — GitHub username (auto-detected from gh if not set)
  • CI_REPOS — Space-separated repo names (auto-discovers all repos if not set)
  • CI_STATE_FILE — Path to state JSON (tracks last check time)

Auto-Fixable Patterns

PatternDetectionFix
Dependency issuesnpm ERR! Could not resolvenpm install + push
Test snapshotsSnapshot mismatchnpm test -- --update + push
Lint errorseslint, Formattingeslint --fix + push
E2E snapshotsPlaywright snapshot diffplaywright --update-snapshots + push

Report-Only (Human Needed)

  • Token/auth errors (secrets rotation)
  • TypeScript errors (complex type issues)
  • Build timeouts (resource/loop issues)
  • Unknown errors

Fix Patterns Reference

Read references/fix-patterns.md for detailed decision tree, log reading commands, and all known patterns with fix scripts.

Reading Logs

# Latest failed run logs
gh run view --repo OWNER/REPO --log 2>&1 | tail -50

# Filter for errors
gh run view <run-id> --repo OWNER/REPO --log 2>&1 | grep -A5 "error\|FAIL"

After Fixing

Always verify the fix worked:

sleep 90  # Wait for new CI run
gh run list --repo OWNER/REPO --limit 1 --json conclusion -q '.[0].conclusion'
# Should be "success"

Comments

Loading comments...