← Back to Skills Marketplace
zero2ai-hub

Skill Github Daily Ops

by Zero2Ai · GitHub ↗ · v1.0.1
cross-platform ⚠ suspicious
399
Downloads
0
Stars
1
Active Installs
2
Versions
Install in OpenClaw
/install skill-github-daily-ops
Description
Daily GitHub repo health check + safe Dependabot auto-merge. Outputs markdown report.
Usage Guidance
This skill mostly does what it claims (scan repos, report, and merge Dependabot PRs) but has several red flags you should address before using it with real credentials: - Expect to provide a GitHub PAT with repo write permissions. The registry doesn't declare this, but the scripts will fail without it. Use a token scoped as narrowly as possible (repo:status, pull_request, maybe repo if merging) and prefer an org-scoped machine account if possible. - The scripts use both GITHUB_TOKEN (node) and GH_TOKEN (bash) and will try to read ~/.github_token. Ensure you know which token will be used and avoid placing high-privilege tokens in a plaintext file unless you intend to. - The code relies on binaries not declared in the manifest: gh (GitHub CLI), python3, and git (for workspace push). Install these only if you trust the skill. - The included daily-ops.sh will attempt to push unpushed commits from a configured WORKSPACE (default ~/.openclaw/workspace). If you run that script, it may publish local commits you haven't reviewed. Either remove or audit the 'Push workspace commits' section before running, or set WORKSPACE to a safe path. - Consider running the scripts in readonly/report-only mode (--report) first, and test auto-merge behavior on a small set of non-critical repos. Review and possibly remove or sandbox any steps that write to remotes (merge, delete-branch, git push). Given the mismatches and the workspace-push side-effect, treat this skill as 'suspicious' until you fix the declared requirements, unify token handling, and remove or clearly control the workspace push behavior.
Capability Analysis
Type: OpenClaw Skill Name: skill-github-daily-ops Version: 1.0.1 The skill is classified as suspicious due to several risky capabilities, even though they align with the stated purpose of GitHub daily operations. Both `scripts/auto-merge.sh` and `scripts/daily-ops.sh` read the highly sensitive `GITHUB_TOKEN` from `~/.github_token`. Additionally, `scripts/daily-ops.sh` performs a `git push` operation on the local workspace, a powerful action that could lead to unauthorized code changes if the agent's environment or the workspace repository were compromised. While these actions are plausibly needed for the skill's functionality, they represent significant attack surfaces and potential vulnerabilities without clear malicious intent.
Capability Assessment
Purpose & Capability
Name/description promise (GitHub health + safe Dependabot auto-merge) aligns with code that lists repos, checks CI, and merges Dependabot PRs — that part is coherent. However the package metadata only declares 'node' as a required binary while the shipped scripts also rely on the GitHub CLI (gh), python3, and git; the registry does not declare the needed GITHUB_TOKEN/GH_TOKEN credential despite the scripts requiring it. These omissions are disproportionate to the stated purpose and reduce transparency.
Instruction Scope
SKILL.md shows running node scripts (report + merge). The included bash scripts (daily-ops.sh) perform extra actions not called out in the top-level docs: they will examine a local WORKSPACE and may git push unpushed commits from that workspace. Pushing local workspace commits is outside the expected scope of a 'repo health report' and can modify remote state beyond merging Dependabot PRs. Also the skill's scripts read ~/.github_token and expect GH_TOKEN/GITHUB_TOKEN — they will access local files and environment for credentials.
Install Mechanism
There is no install spec (instruction-only), so nothing is downloaded or installed automatically. That limits install-time risk. However it still ships runnable scripts that will be executed by the user/agent if invoked.
Credentials
The skill requires a GitHub personal access token in practice, but registry metadata does not declare required env vars. The code uses both GITHUB_TOKEN (daily-ops.js) and GH_TOKEN (bash scripts) and will read ~/.github_token — this mismatch increases risk of accidental credential exposure or misconfiguration. A PAT with repo write/merge permissions is required to auto-merge and to push workspace commits; that level of credential is significant and should be declared and limited.
Persistence & Privilege
always is false and the skill is user-invocable (normal). The particularly concerning behavior is not persistence but side-effects: the bash script can push local workspace commits (git push) which modifies remote repositories and may expose or publish local changes. Autonomous invocation is allowed by default for skills, so if you enable auto-run you should be aware of the side-effecting operations.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install skill-github-daily-ops
  3. After installation, invoke the skill by name or use /skill-github-daily-ops
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.1
- Removed internal documentation file: config/internal.md - No user-facing functionality changed.
v1.0.0
Initial release of skill-github-daily-ops: - Generates daily health reports for GitHub repos in markdown format. - Safely auto-merges Dependabot PRs with only medium/low severity CVEs and passing CI. - Supports running for all or specific repos via command-line arguments. - Flexible configuration using environment variables and CLI options. - Provides cron-ready scripting examples for automation.
Metadata
Slug skill-github-daily-ops
Version 1.0.1
License
All-time Installs 1
Active Installs 1
Total Versions 2
Frequently Asked Questions

What is Skill Github Daily Ops?

Daily GitHub repo health check + safe Dependabot auto-merge. Outputs markdown report. It is an AI Agent Skill for Claude Code / OpenClaw, with 399 downloads so far.

How do I install Skill Github Daily Ops?

Run "/install skill-github-daily-ops" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Skill Github Daily Ops free?

Yes, Skill Github Daily Ops is completely free (open-source). You can download, install and use it at no cost.

Which platforms does Skill Github Daily Ops support?

Skill Github Daily Ops is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Skill Github Daily Ops?

It is built and maintained by Zero2Ai (@zero2ai-hub); the current version is v1.0.1.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191113 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments