linux-riscv-contribute

This skill appears to do what it says (automate a discover->issue->plan->implement->patch pipeline) but has a few important gaps and risks you should consider before installing: - Authentication: The skill will create/update GitHub issues and prepare/send patch emails, yet it declares no GitHub token or mail/send credentials. Confirm how the platform will supply authentication (agent secrets, user-provided tokens, or manual steps). Do not assume it will work without configuring credentials. - Data exposure: The workflow reads local Linux source trees and instructs spawning external ACP agents (claude-code, codex). That means potentially sensitive repository content and internal design details will be sent to external model runtimes. If your code or metadata must remain private, run this only in an environment where sending data to those models is permitted, or restrict the agent prompts to safe excerpts. - Human gates: The skill includes three explicit human approval gates and a 'never auto-send external email without user confirmation' rule; ensure the platform enforces these gates before you allow any autonomous runs. - Review templates and bootstrap script: The bootstrap script is simple and only writes under the docs repo you pass in, but verify the target path before running and keep backups. Also review workflow-template.yaml for hardcoded repo names/models (e.g., 'zcxGGmu/linux-riscv-docs', 'hanbbq/gpt-5.3-codex') and replace with your own configuration. - Test in dry-run/isolated environment first: Use the workflow's dry_run flags, run on a non-sensitive copy of repos, and confirm what data is transmitted to ACP agents and what the platform requires for GitHub/mailing authentication. If the project owner can clarify how credentials are provided (or update the skill to declare required env vars and data-sanitization rules), the remaining concerns would be addressed. Until then, treat the skill as functional but requiring careful ops/credential review.