← Back to Skills Marketplace
adwilkinson

Oneshot Ship

by Andrew Wilkinson · GitHub ↗ · v0.2.1 · MIT-0
cross-platform ⚠ suspicious
403
Downloads
0
Stars
0
Active Installs
2
Versions
Install in OpenClaw
/install oneshot-ship
Description
Ship code with oneshot CLI. One command that plans, executes, reviews, and opens a PR. Runs over SSH or locally. Use when the user wants to ship code changes...
Usage Guidance
Key points to consider before installing or running this skill: - The SKILL.md requests ANTHROPIC_API_KEY, OPENAI_API_KEY, GitHub authentication, and optionally Linear API credentials, but the registry metadata lists none — assume you will need to provide these. Confirm the exact credentials required before proceeding. - The pipeline will read whole repos and send code and prompts to external LLM services (Anthropic/OpenAI). If your repo contains sensitive information, do NOT run this against private repos unless you trust both the skill source and the LLM providers' data handling. - The tool stores keys in ~/.oneshot/config.json (plaintext in home directory per the doc). Prefer ephemeral or least-privilege tokens, and avoid long-lived secrets in that file. - The skill can operate over SSH and execute commands on remote servers. Only provide SSH access to hosts you fully control and audit what commands the oneshot tool will run (use --dry-run first). - There is no install manifest in the registry; the README suggests installing via bun from a GitHub repo. Verify the upstream repository and its release artifacts before installing any global binary. - Practical mitigations: run in --dry-run or --local mode first, inspect the prompts and what is sent to LLMs (prompts/*.txt and CLAUDE.md), use limited-scope GitHub PATs, use ephemeral LLM keys, and review ~/.oneshot/config.json and history after runs. If you cannot verify the source code or provenance, treat this skill as untrusted.
Capability Analysis
Type: OpenClaw Skill Name: oneshot-ship Version: 0.2.1 The oneshot-ship skill automates a code-shipping pipeline requiring high-privilege access, including SSH, GitHub CLI authentication, and multiple API keys (Anthropic, OpenAI, Linear) stored in `~/.oneshot/config.json`. While the functionality aligns with its stated purpose of automating PRs and code execution, the broad permissions and the handling of sensitive credentials across remote environments represent a significant security risk. The documentation in SKILL.md also references non-existent models (e.g., gpt-5.4-mini), which may indicate unreliable or misleading content.
Capability Assessment
Purpose & Capability
The described functionality (automated plan → implement → review → PR over SSH or locally) is coherent with requiring Git, SSH, and GitHub access and LLM CLIs. However the SKILL.md relies on multiple external CLIs and LLM services (Claude Code CLI, Codex CLI, GitHub CLI) that are not reflected in the registry metadata, which is an inconsistency worth noting.
Instruction Scope
SKILL.md instructs the agent to read entire repositories (and optional CLAUDE.md files), create worktrees, run commands locally or over SSH, and transmit implementation/review tasks to external LLMs (Anthropic and OpenAI). It also directs storing API keys in ~/.oneshot/config.json and may mirror JSONL event logs. These actions involve reading and transmitting potentially sensitive source code and secrets to third-party services and executing commands on remote hosts—behaviors beyond a simple helper and requiring explicit user consent and trust in the skill source.
Install Mechanism
There is no install spec in the registry (skill is instruction-only), yet the README suggests installing via `bun install -g oneshot-ship`. The absence of an authoritative install source / package manifest in the registry means the skill's suggested installation path isn't verified here and should be checked before running.
Credentials
Registry metadata declares no required env vars, but SKILL.md explicitly requires ANTHROPIC_API_KEY and OPENAI_API_KEY, GitHub CLI authentication, and optionally a Linear API key in config. Requiring multiple cross-service credentials (LLM keys, GitHub auth, Linear) is reasonable for the described pipeline but the omission from metadata is a red flag. The skill also asks to persist these secrets in a plaintext config file (~/.oneshot/config.json), which increases risk.
Persistence & Privilege
The skill writes config and history files under the user's home (~/.oneshot/config.json, ~/.oneshot/history.json), creates temporary worktrees, and can run background jobs (--bg). It does not request always:true and does not modify other skills. Persisting API keys and history locally is expected for the tool but is sensitive and should be reviewed.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install oneshot-ship
  3. After installation, invoke the skill by name or use /oneshot-ship
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v0.2.1
- Updated version info and description for clarity and accuracy - Added new flags: `--deep-review`, `--branch`, and `--events-file` - Improved pipeline description: now includes a classification step (`fast` or `deep`) and detailed review/finalization process - Enhanced usage examples and configuration details, including support for deep review and different base branches - Clarified that local mode works without a config file and worktree remains isolated
v0.0.1
initial release
Metadata
Slug oneshot-ship
Version 0.2.1
License MIT-0
All-time Installs 0
Active Installs 0
Total Versions 2
Frequently Asked Questions

What is Oneshot Ship?

Ship code with oneshot CLI. One command that plans, executes, reviews, and opens a PR. Runs over SSH or locally. Use when the user wants to ship code changes... It is an AI Agent Skill for Claude Code / OpenClaw, with 403 downloads so far.

How do I install Oneshot Ship?

Run "/install oneshot-ship" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Oneshot Ship free?

Yes, Oneshot Ship is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Oneshot Ship support?

Oneshot Ship is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Oneshot Ship?

It is built and maintained by Andrew Wilkinson (@adwilkinson); the current version is v0.2.1.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463556 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259610 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200551 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191226 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190235 · by oswalpalash

💬 Comments