← Back to Skills Marketplace
captainsvbot

Autonomous GitHub Team

by captainsvbot · GitHub ↗ · v1.2.0 · MIT-0
cross-platform ⚠ suspicious
125
Downloads
0
Stars
0
Active Installs
3
Versions
Install in OpenClaw
/install autonomous-github-team
Description
Autonomous GitHub Team — 41 AI agents that autonomously monitor a GitHub repository, detect bugs, create fixes, open PRs, and release to production. Triggers...
README (SKILL.md)

🤖 Autonomous GitHub Team Skill

⚠️ Security Warning — Read Before Installing

This skill clones and executes bash scripts from a remote repository. Before running:

  1. Audit the scripts first — review every agent file in the agents/ directory
  2. Use a least-privilege PAT — dedicated token scoped to a single test repo, not your main account
  3. Never run on a production repo until you've tested in an isolated fork
  4. Never commit tokens — keep config.env private and out of version control
  5. Require human review before merging any PRs the agents create

What It Does

41 AI agents that autonomously monitor a GitHub repository, detect bugs, create fixes, open PRs, and release to production automatically.

Required Environment Variables

GH_TOKEN        # GitHub PAT — needs: contents:w, pr:w, issues:w
TARGET_REPO     # The repository to operate on (format: owner/repo)

Primary credential: GH_TOKEN — treat this as a high-privilege secret.

Setup

# 1. Clone the repo (pinned to v1.0.0 tag)
git clone --branch v1.0.0 https://github.com/captainsvbot/AutonomousGitHubTeam.git
cd autonomous-github-team

# 2. Configure — edit config.env
cp config.example.env config.env
nano config.env   # set GH_TOKEN and TARGET_REPO

# 3. Audit the agents first (important!)
# Review agents/*.sh before running anything

# 4. Run
bash agents/orchestrator.sh

Security Requirements for the GitHub Token

The skill needs a token that can:

  • Read and write to repository contents
  • Create and manage pull requests
  • Read and write issues

Create a dedicated token for this skill:

  1. GitHub → Settings → Developer Settings → Personal Access Tokens → Fine-grained tokens
  2. Scope to only the specific repository you want the team to operate on
  3. Grant only: contents: read and write, pull requests: read and write, issues: read and write
  4. Never use your main account token with broad org access

Available Agents

bash agents/orchestrator.sh          # Full pipeline (detect → fix → release)
bash agents/security-agent.sh        # Vulnerability scanning
bash agents/fixer-agent.sh          # Apply fixes, open PRs
bash agents/git-guardian-agent.sh     # Merge PRs (requires human review before main merges)
bash agents/backup-agent.sh          # Backup repo via GitHub API
bash agents/rollback-agent.sh         # Auto-revert broken commits
bash agents/team-bravo.sh            # Activity monitor (read-only check)

Gitflow

feature/fix → develop → main

Every run syncs main → develop first. The Git Guardian does not auto-merge to main — all merges to main require human approval.

Before Running on a Production Repo

  • Clone and review all agents/*.sh files
  • Test in an isolated fork first
  • Set up branch protection on main (require PR reviews)
  • Use a dedicated, scope-limited PAT
  • Keep config.env out of version control

Security Checklist Before Publishing Changes

# Scan for accidentally committed secrets
grep -rni "gho_\|token\|secret\|api_key\|password" .

If you modify this repo, always scan before pushing publicly.

Usage Guidance
This skill is internally consistent with its goal but is high-risk: it clones and executes third-party scripts and needs a write-capable GitHub token. Before installing, do all of the following: (1) Inspect the pinned v1.0.0 tag contents (especially agents/*.sh) and confirm what network calls and token usage occur; (2) Create a fine‑grained PAT scoped only to a single test repository (avoid org- or account-wide scopes) and prefer short expiration; (3) Test in an isolated fork or disposable repository first, with branch protection on main; (4) Run with a read-only or minimally scoped token initially to observe proposed changes without allowing writes; (5) Ensure human approval gates exist before any merge to main; (6) Monitor activity and rotate the token after testing. Because this package is instruction-only (no embedded code in the registry), you cannot rely on the registry scan — manual code review of the cloned repository is essential. If you cannot audit the code yourself, treat the skill as unsafe for production repositories.
Capability Analysis
Type: OpenClaw Skill Name: autonomous-github-team Version: 1.2.0 The skill clones a remote repository (github.com/captainsvbot/AutonomousGitHubTeam.git) and executes bash scripts using a high-privilege GitHub Personal Access Token (GH_TOKEN). While SKILL.md includes extensive security warnings and recommends least-privilege tokens, the core execution model—running unverified remote scripts with write access to repositories—is a high-risk pattern. The metadata correctly identifies the risk_level as 'high', but the potential for supply chain compromise via the remote repository makes this suspicious.
Capability Assessment
Purpose & Capability
Name/description, required binaries (git, bash, curl, python3), and required env vars (GH_TOKEN, TARGET_REPO) are coherent for an autonomous GitHub automation that clones a repo and runs orchestrator scripts. Declared permissions (repo/PR/issues write) match the described functionality.
Instruction Scope
SKILL.md explicitly instructs cloning a remote repository and running orchestrator and agent shell scripts (agents/orchestrator.sh). While this is within the stated purpose, it directs execution of third‑party code with a write-capable PAT — a direct data-exfiltration or supply-chain risk. The skill does advise auditing agent scripts and running in a fork, but the runtime instructions inherently grant broad discretion to those remote scripts.
Install Mechanism
There is no packaged install; the skill is instruction-only and instructs git-cloning https://github.com/captainsvbot/AutonomousGitHubTeam.git pinned to tag v1.0.0. Cloning from GitHub and pinning a tag is better than downloading from an arbitrary server, but it still results in executing remote code on the host — a significant risk.
Credentials
Requested environment variables (GH_TOKEN and TARGET_REPO) are necessary for repository operations the skill performs. The GH_TOKEN requires write scopes, which are proportionate to creating fixes, PRs, and releases, but this is high privilege — the skill itself and its instructions repeatedly warn to use a least-privilege, repo-scoped token.
Persistence & Privilege
The skill does not request always:true or any system config paths and is user-invocable; however, because the agent can run autonomously (platform default) and the skill uses a write-capable PAT, an autonomous run could perform actions in the target repo without manual intervention. The SKILL.md recommends human review before merging, but you should confirm any automated merge/rollback behaviors in the repo code before enabling autonomous runs.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install autonomous-github-team
  3. After installation, invoke the skill by name or use /autonomous-github-team
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.2.0
v1.2.0: Full security overhaul — declare GH_TOKEN/TARGET_REPO as primaryEnv, pinned clone to v1.0.0 tag, added audit-before-running warning, least-privilege PAT guidance, isolated-test-repo requirement, no-auto-merge-to-main policy.
v1.1.0
v1.1.0: Add full security disclosures — GitHub PAT write permissions, bash script execution risk, PR creation/merging, risk_level:high, explicit permissions fields.
v1.0.0
Initial release: 41 AI agents for autonomous GitHub issue detection, routing, fixing, and release management.
Metadata
Slug autonomous-github-team
Version 1.2.0
License MIT-0
All-time Installs 0
Active Installs 0
Total Versions 3
Frequently Asked Questions

What is Autonomous GitHub Team?

Autonomous GitHub Team — 41 AI agents that autonomously monitor a GitHub repository, detect bugs, create fixes, open PRs, and release to production. Triggers... It is an AI Agent Skill for Claude Code / OpenClaw, with 125 downloads so far.

How do I install Autonomous GitHub Team?

Run "/install autonomous-github-team" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Autonomous GitHub Team free?

Yes, Autonomous GitHub Team is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Autonomous GitHub Team support?

Autonomous GitHub Team is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Autonomous GitHub Team?

It is built and maintained by captainsvbot (@captainsvbot); the current version is v1.2.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments