← 返回 Skills 市场

Firm Delivery Export

Name: Firm Delivery Export
Author: romainsantoli-web

作者 romainsantoli-web · GitHub ↗ · v1.0.0

cross-platform ⚠ suspicious

329

总下载

当前安装

版本数

在 OpenClaw 中安装

/install firm-delivery-export

功能描述

Post-processing skill for firm-orchestration: converts the structured JSON output of a multi-agent workflow run into real deliverables — GitHub Pull Requests...

使用说明 (SKILL.md)

firm-delivery-export

Converts firm workflow output into real deliverables in team tooling.

Supported formats

Format	Target	Required env
`github_pr`	GitHub repository PR	`GITHUB_TOKEN`
`jira_ticket`	Jira issue	`JIRA_API_TOKEN` + `JIRA_BASE_URL`
`linear_issue`	Linear issue	`LINEAR_API_KEY`
`markdown_report`	Local file / chat	none
`structured_document`	Markdown with frontmatter	none
`project_brief`	Structured PDF-ready doc	none
`slack_digest`	Slack message via webhook	`SLACK_WEBHOOK_URL`

Usage (after firm-orchestration run)

Use firm-delivery-export to publish last workflow result as a GitHub PR:
  repo: "myorg/myrepo"
  branch: "ai/sprint-24-plan"
  title: "feat: Sprint 24 plan (AI-generated, human review pending)"
  reviewers: ["@john", "@sarah"]

GitHub PR output schema

{
  "format": "github_pr",
  "repo": "org/repo",
  "branch": "ai/{kebab-objective}",
  "base": "main",
  "title": "...",
  "body": "## AI-generated delivery\
\
{merged_output}\
\
---\
_Generated by firm-orchestration_",
  "draft": true,
  "reviewers": [],
  "labels": ["ai-generated", "needs-review"]
}

Jira ticket output schema

{
  "format": "jira_ticket",
  "project": "ENG",
  "issue_type": "Story",
  "summary": "...",
  "description": "{merged_output}",
  "priority": "Medium",
  "labels": ["ai-generated"],
  "components": []
}

Security notes

GITHUB_TOKEN must have repo scope — use fine-grained tokens scoped to target repo
All PRs are created as drafts by default (draft: true) — never auto-merged
Human review is mandatory: a needs-review label is applied unconditionally
JIRA_API_TOKEN is never logged (masked in audit trail)
Slack webhook URLs are treated as secrets (masked in JSONL audit)

Error handling

Error	Behavior
API rate limit	Retry with exponential backoff (3 attempts, max 30s)
Auth failure	Fail fast, output error to session, never retry
Network timeout	Fallback to `markdown_report` format locally
Invalid schema	Reject with validation error listing missing fields

Example with delivery pipeline

1. Run firm-orchestration:
   objective: "Document the payment service API"
   departments: ["engineering", "operations"]
   delivery_format: "github_pr"

2. Run firm-delivery-export automatically:
   → Creates draft PR "docs: Payment service API documentation"
   → Branch: ai/document-payment-service-api
   → Labels: ai-generated, needs-review, documentation
   → Assigns to @team-engineering for review

💎 Support

Si ce skill vous est utile, vous pouvez soutenir le développement :

Dogecoin : DQBggqFNWsRNTPb6kkiwppnMo1Hm8edfWq

安全使用建议

This skill appears to do what it says (create PRs/tickets/reports), but the registry requires multiple credentials by default which is unnecessary and increases risk. Before installing: (1) Ask the publisher to mark credentials optional or per-format so you only provide the tokens you actually need. (2) Use least-privilege, fine-grained tokens (repo-scoped GitHub token, limited Jira/Linear service account) and avoid org-level secrets. (3) Confirm whether SLACK_WEBHOOK_URL should be declared in metadata (it is documented but missing from required envs). (4) Test in a non-production account and rotate tokens if you revoke access. (5) If you enable autonomous invocation, be aware the agent could act with any provided credentials — prefer minimal credentials for that mode.

功能分析

Type: OpenClaw Skill Name: firm-delivery-export Version: 1.0.0 The skill's stated purpose is to integrate AI workflow output with external tools like GitHub, Jira, Linear, and Slack, which is a legitimate function. It declares requirements for sensitive environment variables (e.g., GITHUB_TOKEN, JIRA_API_TOKEN) and tools (curl, bash) necessary for its operation. The SKILL.md includes explicit security notes, such as creating GitHub PRs as drafts and masking API tokens, indicating an awareness of security best practices. There is no evidence of malicious prompt injection, data exfiltration, unauthorized execution, or persistence mechanisms in the provided files. The Dogecoin address is a non-security-related request for support.

能力评估

⚠ Purpose & Capability

The skill claims to create GitHub PRs, Jira and Linear issues and other deliverables — requiring GITHUB_TOKEN, JIRA_API_TOKEN, JIRA_BASE_URL and LINEAR_API_KEY is consistent if the skill must access all three systems. However, the registry lists all credentials as required (mandatory) rather than optional per-target format; that is disproportionate because a user wanting only GitHub output should not need to supply Jira and Linear secrets. Also SKILL.md documents SLACK_WEBHOOK_URL for a 'slack_digest' format but SLACK_WEBHOOK_URL is not listed in required envs, an inconsistency.

ℹ Instruction Scope

SKILL.md is instruction-only and confines actions to creating PRs, Jira/Linear tickets, local markdown reports, and optionally posting to Slack via webhook. It does not instruct reading arbitrary system files, shell history, or unrelated credentials. It does reference masking of tokens in audit logs. No instructions appear to exfiltrate unrelated data, but the instruction set assumes access to multiple external APIs and to secrets — scope is limited to integration endpoints but broad in reach if all credentials are provided.

✓ Install Mechanism

No install spec and no code files (instruction-only). Required binary is only curl, which is reasonable for HTTP calls. This minimizes on-disk risk; there's no download/execute step.

⚠ Credentials

The skill requires four secrets as mandatory in registry metadata (GITHUB_TOKEN, JIRA_API_TOKEN, JIRA_BASE_URL, LINEAR_API_KEY). Requiring multiple unrelated service credentials by default is disproportionate for a multi-format exporter: only the credentials required for the chosen output format should be necessary. The omission of SLACK_WEBHOOK_URL from required envs while it is documented as a required env for a supported format is an inconsistency. Broadly scoped or org-level tokens would increase risk; the SKILL.md partly mitigates this by recommending repository-scoped GitHub tokens, but the registry forcing all secrets increases the blast radius.

ℹ Persistence & Privilege

always is false and there is no install; disable-model-invocation is false (normal). Autonomous invocation is allowed (platform default). Because the skill may request multiple service credentials, autonomous runs could have a larger blast radius if credentials are present — consider this in combination with the broad required-env list.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install firm-delivery-export
安装完成后，直接呼叫该 Skill 的名称或使用 /firm-delivery-export 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.0

firm-delivery-export 1.0.0 — initial release: - Converts structured JSON workflow output into real deliverables: GitHub PRs, Jira or Linear tickets, Markdown reports, project briefs, and structured documents. - Acts as a bridge between agent output and team tooling for final delivery. - Supports error handling for API rate limits, auth failures, network issues, and schema validation. - Requires environment variables for relevant targets (e.g., GITHUB_TOKEN for GitHub, JIRA_API_TOKEN for Jira, LINEAR_API_KEY for Linear). - All output to GitHub is created as draft PRs with "needs-review" labels to enforce human review.

元数据

Slug firm-delivery-export

版本 1.0.0

许可证 —

累计安装 1

当前安装数 1

历史版本数 1

常见问题