← Back to Skills Marketplace
OSS Contributor
by
Kevin Bolander
· GitHub ↗
· v1.0.0
411
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install oss-contributor
Description
Discover and resolve open source GitHub issues across community repos during idle time. Finds good-first-issue/help-wanted/documentation issues, forks repos,...
Usage Guidance
This skill mostly does what it says, but pause before installing. 1) Only provide a GH_TOKEN with the minimal scopes needed (create forks/PRs) — do not hand over a full personal access token unless you understand the scopes; consider creating a dedicated token for this skill. 2) The SKILL.md uses jq but jq is not declared as required — either install jq or update the skill; otherwise the skill may fail. 3) The --notify-channel option implies sending messages (Telegram) but no bot token or webhook env var is declared — ask the author how notifications are authenticated and what env vars are needed. 4) Review and be comfortable with the skill reading/writing files at $HOME/clawd/*. Use --dry-run and a low --limit first, and consider running with a test GitHub account or a token scoped to only public repos. 5) If you need higher confidence, ask the publisher for (a) explicit list of required binaries, (b) minimal GH_TOKEN scopes, and (c) details on external notification configuration (what env vars or webhooks it will use).
Capability Analysis
Type: OpenClaw Skill
Name: oss-contributor
Version: 1.0.0
The skill is designed to automate open-source contributions, but it contains a significant vulnerability. In Phase 5, the sub-agent is instructed to clone arbitrary GitHub repositories and then 'Run tests' within those cloned repositories. This creates a Remote Code Execution (RCE) risk, as a malicious actor could craft a repository with harmful scripts disguised as tests, which the agent would then execute. While the skill's overall intent appears benign, this RCE vector makes it suspicious. Other actions, such as accessing the GH_TOKEN from `~/.openclaw/openclaw.json` and using `curl` for GitHub API calls, are sensitive but align with the skill's stated purpose.
Capability Assessment
Purpose & Capability
Name/description (discover/triage/fix GitHub issues and open PRs) align with the instructions: the SKILL.md uses the GitHub REST API, forks/repos/PR workflow, and requires curl + git. Requesting GH_TOKEN as the primary credential is expected for acting on a user's behalf.
Instruction Scope
The runtime instructions read and write local state ($HOME/clawd/oss-contributor.json, $HOME/clawd/memory/oss-activity.json, $HOME/clawd/memory/oss-history.json) and perform actions on GitHub (create forks/PRs). Those actions are within the declared purpose, but the SKILL.md explicitly uses the `jq` tool in examples (e.g., parsing /user output) yet jq is not listed as a required binary. The skill also exposes a --notify-channel flag (Telegram) but does not declare any required environment variable for a Telegram bot/token — this is an undeclared external-sending capability. These mismatches need clarification.
Install Mechanism
Instruction-only skill with no install spec and no code files: lowest installation risk. It doesn't download or write installer artifacts beyond using existing binaries and workspace files.
Credentials
Only GH_TOKEN is declared as the primary credential — appropriate for GitHub operations — but the SKILL.md will need a token with privileges to fork, create branches, push commits, and open PRs (likely repo and possibly workflow scopes). The skill does not document the minimum token scopes to limit risk. Additionally, the potential Telegram notification feature implies a missing credential (bot token) which is not declared; this is an unexplained request for external network communication capability.
Persistence & Privilege
always:false and user-invocable:true (normal). The skill stores activity/history under $HOME/clawd which is within the user's workspace; it does not request always-on privilege or modify other skills. Autonomous invocation is enabled by default (disable-model-invocation:false), which is normal for skills but means the skill could act without interactive approval if --auto/--yes flags are used.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install oss-contributor - After installation, invoke the skill by name or use
/oss-contributor - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release: discover and resolve open source GitHub issues during agent idle time. Fork, fix, PR workflow with mandatory AI disclosure, repo PR template support, daily limits, and etiquette rules.
Metadata
Frequently Asked Questions
What is OSS Contributor?
Discover and resolve open source GitHub issues across community repos during idle time. Finds good-first-issue/help-wanted/documentation issues, forks repos,... It is an AI Agent Skill for Claude Code / OpenClaw, with 411 downloads so far.
How do I install OSS Contributor?
Run "/install oss-contributor" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is OSS Contributor free?
Yes, OSS Contributor is completely free (open-source). You can download, install and use it at no cost.
Which platforms does OSS Contributor support?
OSS Contributor is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created OSS Contributor?
It is built and maintained by Kevin Bolander (@kbo4sho); the current version is v1.0.0.
More Skills