ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

GitHub Issue Auto Triage

自动分类 GitHub Issue,AI 打标签、分配负责人、检测重复、回复 FAQ

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 30 · 0 current installs · 0 all-time installs
by@SxLiuYu
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The code, README and SKILL.md implement exactly the described purpose (GitHub issue triage: labeling, assigning, duplicate detection, FAQ replies, optional Slack/Discord notifications). Use of a GitHub token and an LLM API key is coherent with these capabilities. However, there are metadata inconsistencies: the top-level registry metadata listed no required env vars/credentials, while _meta.json, README, SKILL.md and config.example.json clearly list GITHUB_TOKEN, GITHUB_OWNER, GITHUB_REPO and DASHSCOPE_API_KEY. Version fields also mismatch (registry shows 1.0.0, _meta.json and clawhub.json show 2.0.0). Repository/homepage values differ across files. These provenance/version mismatches reduce confidence in the package source integrity.
Instruction Scope
SKILL.md and scripts/triage.py limit actions to reading GitHub issues, calling an external LLM (DashScope), adding labels/comments/assignees, and optionally notifying Slack/Discord. The instructions do not request unrelated system files or broad data collection. They do instruct network calls to api.github.com and dashscope.aliyuncs.com and recommend environment variables for tokens; those are expected for this functionality.
Install Mechanism
There is no install spec (instruction-only / included Python script), which is lower risk than arbitrary installers or downloads. The package includes code files (scripts/triage.py) that will run when invoked; no external binary downloads or non-standard install locations are used.
!
Credentials
The skill requires secrets (GITHUB_TOKEN and an LLM key) which are appropriate for its task, but the registry metadata initially presented to the platform omitted these requirements. That discrepancy is concerning. Also README suggests granting `repo` scope for the GitHub token (full repo permissions); for triage the least-privilege scopes (issues write/read, possibly pull request comments) are sufficient and safer. DASHSCOPE_API_KEY is a bearer-style secret — treat it like any API key. The number and sensitivity of credentials are proportionate to the feature set but must be explicitly declared and limited; here declaration is inconsistent.
Persistence & Privilege
The skill is not always:true and does not request system-wide privileges. _meta.json indicates fileWrite limited to current_directory_only and network access to api.github.com and dashscope.aliyuncs.com, which matches the code. It does write logs/results locally. It does not modify other skills or system-wide configurations.
What to consider before installing
Key points before installing: - Metadata mismatch: The registry entry claims no required env vars, but the code and docs require GITHUB_TOKEN, GITHUB_OWNER, GITHUB_REPO and an LLM API key. Treat that as a packaging/provenance red flag and verify the source repository before use. - Principle of least privilege: If you test/install, create a GitHub token with the minimal scopes needed (issues: read/write; avoid granting full `repo` unless absolutely required). Review which exact GitHub scopes the script needs and restrict the token accordingly. - Inspect the code and run dry-run first: The included script (scripts/triage.py) is readable; run it with --dry-run in an isolated/sandboxed environment (or with a test repo) to verify behavior and network endpoints called. - Verify LLM endpoint and keys: The script calls dashscope.aliyuncs.com. Confirm you trust that LLM provider and that passing issue text to it is acceptable for your privacy/security needs. - Verify provenance: Repository/homepage and version fields differ across files (1.0.0 vs 2.0.0 and multiple repo URLs). Confirm the canonical source (GitHub repo) and recent commit history before trusting or deploying. - Operational advice: Add monitoring/logging, run initially on a small/test repo, and prefer running on a service account with limited permissions. If anything about the package provenance remains unclear, do not provide production tokens or deploy to production repositories until resolved.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk97709z09r7zhswxeyys0vmh118310zx

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

GitHub Issue Auto Triage Skill

自动分类 GitHub Issue,AI 智能打标签、分配负责人、检测重复 Issue、自动回复 FAQ。

触发条件

  • 定时触发: 每 30 分钟检查新 Issue
  • 手动触发: /triage-issues 或 "处理 GitHub Issue"
  • Webhook 触发: GitHub webhook 推送

核心功能

1. AI 智能分类

  • 读取 Issue 标题和描述
  • 使用 LLM 分析内容
  • 自动分配合适的标签(bug/enhancement/question 等)
  • 识别严重程度(critical/major/minor)

2. 自动分配负责人

  • 根据 Issue 类型分配
  • 考虑团队成员负载
  • 支持轮询分配
  • 可配置分配规则

3. 重复 Issue 检测

  • 语义相似度分析
  • 检测相似标题
  • 自动关联重复 Issue
  • 建议关闭重复

4. FAQ 自动回复

  • 识别常见问题
  • 自动回复标准答案
  • 提供文档链接
  • 标记为已解决

5. 智能通知

  • Slack/Discord 通知
  • @mention 相关负责人
  • 优先级告警
  • 日报/周报生成

配置参数

github:
  owner: "your-org"
  repo: "your-repo"
  token: "${GITHUB_TOKEN}"
  
triage:
  enabled: true
  interval_minutes: 30
  auto_label: true
  auto_assign: true
  detect_duplicates: true
  auto_reply_faq: true
  
labels:
  bug:
    keywords: ["bug", "error", "crash", "fail", "broken"]
    priority: high
  enhancement:
    keywords: ["feature", "enhancement", "improve", "add"]
    priority: medium
  question:
    keywords: ["question", "help", "how to", "confused"]
    priority: low
  
assignees:
  bug: ["@dev1", "@dev2"]
  enhancement: ["@pm1"]
  question: ["@support1"]
  
faq:
  - question: "how to install"
    answer: "See installation guide: https://docs.example.com/install"
  - question: "license"
    answer: "We use MIT license. See LICENSE file."

使用示例

手动触发

# 处理所有未分类 Issue
/triage-issues

# 处理特定 Issue
/triage-issues #123

# 检查重复
/triage-issues --check-duplicates

定时任务

# crontab
*/30 * * * * github-issue-triage --run

API 调用

curl -X POST http://localhost:8080/api/triage \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -d '{"repo": "owner/repo", "issue_number": 123}'

输出示例

Issue #123 处理结果

✅ Issue #123: "App crashes on startup"

分类结果:
  - 类型:bug
  - 严重程度:critical
  - 标签:["bug", "critical", "startup"]
  - 负责人:@dev1
  - 状态:已分配

操作记录:
  ✅ 添加标签:bug
  ✅ 添加标签:critical
  ✅ 分配给:@dev1
  ✅ 发送 Slack 通知
  ✅ 记录到日志

耗时:2.3 秒

依赖

  • GitHub API
  • LLM (Qwen/DashScope)
  • Slack API (可选)

安全

  • GitHub Token 安全存储
  • 最小权限原则
  • 操作日志记录
  • 支持 dry-run 模式

扩展

  • 支持 GitLab
  • 支持 Jira
  • 自定义分类规则
  • 多仓库管理

Files

12 total
Select a file
Select a file to preview.

Comments

Loading comments…