← Back to Skills Marketplace

tester_skill

Name: tester_skill
Author: tsiontesfayechromaway

by tsiontesfayechromaway · GitHub ↗ · v1.0.0

cross-platform ⚠ suspicious

722

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install tester

Description

Manage GitHub issues by listing, filtering, spawning fix agents, creating PRs, and tracking review comments using the authenticated gh CLI.

Usage Guidance

Key things to consider before installing: - The SKILL.md requires the gh CLI and a GitHub token (GITHUB_TOKEN), but the skill metadata does not declare these — confirm the author/source and why metadata omits these requirements. - Understand exactly what spawn_subagent does in your agent environment: will sub-agents push commits, open PRs, or run arbitrary code? Ask for explicit limits and review/approval steps. - If you try it, use a least-privilege token (PAT) scoped only to the repositories needed (avoid using a full user token), and prefer a machine/service account rather than your personal account. - Require manual approval or merge protections in GitHub so PRs opened by the skill cannot be merged automatically without human review. - Ask the publisher for source code or provenance (why is there no homepage/source), and request that the skill metadata be corrected to list required binaries and credentials. - If you cannot verify these points, avoid granting it GitHub credentials or enable model-driven autonomous actions until you have tighter controls.

Capability Analysis

Type: OpenClaw Skill Name: tester Version: 1.0.0 The skill is classified as suspicious due to a significant prompt injection vulnerability pattern identified in `SKILL.md`. The `spawn_subagent` instruction demonstrates passing unsanitized, user-controlled data (GitHub issue `title` and `description`) directly into a sub-agent's `task` string. This allows an attacker to craft malicious issue content to potentially manipulate the sub-agent's behavior. Additionally, the instruction to `export GITHUB_TOKEN` highlights a sensitive secret management practice, which, while necessary for functionality, poses a risk if not handled securely by the agent or user.

Capability Assessment

⚠ Purpose & Capability

The description says it uses the authenticated gh CLI, but the registry metadata lists no required binaries or primary credential. SKILL.md explicitly requires the gh CLI and shows use of a GITHUB_TOKEN. The requested metadata should have declared gh as a required binary and the token as a primary credential or required env var.

ℹ Instruction Scope

Instructions are focused on GitHub issue/PR operations and spawning sub-agents to implement fixes, which matches the stated purpose. However the SKILL.md provides no constraints or guardrails for spawned sub-agents (what they can access, whether they push commits automatically, review/merge policies), leaving broad, underspecified autonomous behavior.

ℹ Install Mechanism

This is an instruction-only skill (no install spec), which is low-risk by itself, but the SKILL.md requires the gh CLI be installed — that dependency is not declared in the registry metadata. The lack of an install spec means nothing will be written by the skill itself, but the runtime dependency mismatch is an inconsistency.

⚠ Credentials

The README suggests using GITHUB_REPO and GITHUB_TOKEN (sensitive) and authenticating via gh auth, but the skill declared no required env vars or primary credential. Sensitive tokens are clearly needed for the described actions; the skill should declare and justify them and recommend least-privilege scopes. As-written, the skill may run with whatever gh credentials are present without documenting required scopes or safeguards.

⚠ Persistence & Privilege

always:false (good), but the skill instructs agents to spawn sub-agents that can implement fixes and create PRs. With model invocation enabled (default), an agent could autonomously create branches/PRs using available credentials. Combined with the undeclared credential dependency and lack of guardrails, this raises privilege and autonomy concerns.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install tester
After installation, invoke the skill by name or use /tester
Provide required inputs per the skill's parameter spec and get structured output

Version History

v1.0.0

- Initial release of GitHub Issue Manager skill. - Fetch and filter GitHub issues by labels, milestones, and assignees. - Spawn sub-agents to work on issue fixes. - Create pull requests with automated descriptions. - Track PR review status and handle review comments. - Requires preconfigured and authenticated GitHub CLI (`gh`).

Metadata

Slug tester

Version 1.0.0

License —

All-time Installs 3

Active Installs 3

Total Versions 1

Frequently Asked Questions

What is tester_skill?

Manage GitHub issues by listing, filtering, spawning fix agents, creating PRs, and tracking review comments using the authenticated gh CLI. It is an AI Agent Skill for Claude Code / OpenClaw, with 722 downloads so far.

How do I install tester_skill?

Run "/install tester" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is tester_skill free?

Yes, tester_skill is completely free (open-source). You can download, install and use it at no cost.

Which platforms does tester_skill support?

tester_skill is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created tester_skill?

It is built and maintained by tsiontesfayechromaway (@tsiontesfayechromaway); the current version is v1.0.0.

More Skills