Propel Code Review Smoke

Run async diff-based code reviews using the Propel Review API, poll for completion, retrieve structured findings, and send comment feedback. Use when reviewi...

This skill appears to do exactly what it claims: gather a git diff and send it to Propel’s production API, poll for results, and post feedback. Before installing or running it, consider: 1) You will be sending repository diffs and metadata to https://api.propelcode.ai — only run this against code you are comfortable sharing with that service. 2) The SKILL.md suggests persistently saving PROPEL_API_KEY to your shell rc (e.g., ~/.bashrc or ~/.zshrc); if you prefer not to store a long-lived token on disk, export the token only in your session or use a short-lived/limited-scope token. 3) The smoke-test will perform three API calls (including a malformed token case) that will transmit the diff — run it in a non-sensitive repo or verify repository selection before running. 4) The scripts optionally call gh commands to discover repo/branch; if you don’t want that, pass explicit --repo/--base-branch arguments. Review the included scripts yourself (they are plain Bash) if you want to inspect or alter the token-persistence behavior prior to use.

Type: OpenClaw Skill Name: propel-code-review-smoke-1773429953 Version: 0.0.1 The skill bundle automates code reviews via the Propel API (api.propelcode.ai) but exhibits high-risk behaviors. Specifically, SKILL.md instructs the agent to persist the PROPEL_API_KEY by appending it to the user's shell configuration files (~/.bashrc or ~/.zshrc) and directs the agent to autonomously incorporate code fixes and submit feedback to the API without user confirmation. While these features are aligned with the stated purpose of the tool, the combination of automated codebase modification and shell-level persistence without explicit user oversight poses a significant security risk.