← 返回 Skills 市场

GH Triage

Name: GH Triage
Author: gruted

作者 gruted · GitHub ↗ · v0.1.0

cross-platform ⚠ suspicious

385

总下载

当前安装

版本数

在 OpenClaw 中安装

/install gh-triage

功能描述

Automatically scans GitHub repos to label, comment, assign, and fix issues and PRs for efficient triage and reporting.

使用说明 (SKILL.md)

gh-triage

Proactive GitHub issues/PR triage and lightweight fixes.

What it does

Periodically (cron) scans configured repositories for new issues and PRs
Labels, comments, and assigns based on simple rules (area labels, needs-info, triage-needed)
Can apply small fixes automatically (typo fixes, formatting, missing issue templates) when enabled
Emits a report and creates follow-up tasks for maintainers

Files

index.js — main skill entrypoint (node)
package.json — dependencies and scripts
SKILL.md — this file
config.example.json — configuration template for repos, tokens, rules

Security

Requires a GitHub token with repo access. Keep secrets out of the repo; provide via environment variables or the host secret store.

Usage

Install by placing the folder in workspace/skills and follow project conventions
Configure repos and rules in config.json (copy config.example.json)
Run with: node index.js or integrate with OpenClaw skill loader

License: MIT

安全使用建议

This skill does what it says (triage and automatic small fixes) but be cautious: the code requires a GH_TOKEN (not declared in registry metadata) and will clone repos, run 'npm ci'/'npx' and other commands that can execute code from the target repository or its dependencies. Before installing, do the following: 1) only supply a least-privilege GitHub token (limit to specific repos and to the narrowest scopes needed; if you don't want pushes/PRs, use a read-only token); 2) run the skill in an isolated environment (container or sandbox) because it executes repo code; 3) inspect and verify the skill's code and the repositories you configure; 4) consider disabling or carefully reviewing the auto-fix behavior (commits/pushes) until you trust the environment and token handling; and 5) prefer storing secrets in your host secret store rather than plaintext env files. The metadata inconsistencies (undeclared env vars and use of config.example.json instead of configurable config.json) are additional warnings — treat this as a prototype that needs hardening rather than a drop-in safe tool.

功能分析

Type: OpenClaw Skill Name: gh-triage Version: 0.1.0 The skill includes a script `auto_fix.js` that clones external repositories and executes `npm ci`, `npm run lint`, and `npm test` within the cloned directory. This design introduces a critical Remote Code Execution (RCE) vulnerability because it allows untrusted code from a triaged repository to execute arbitrary commands on the host system via npm lifecycle scripts or test suites. While these actions are aligned with the stated goal of automated PR fixes, the lack of sandboxing for third-party code execution poses a significant security risk.

能力评估

⚠ Purpose & Capability

The SKILL.md and code require a GH_TOKEN for repo access and auto-fixing, and auto_fix.js optionally requires GIT_AUTHOR_NAME / GIT_AUTHOR_EMAIL — but the registry metadata declares no required environment variables or primary credential. This mismatch is an incoherence: a GitHub token is necessary for the skill to function but is not declared in the metadata.

⚠ Instruction Scope

Runtime instructions (and code) clone configured repos, run 'npm ci', run lint/format/test scripts, and commit/push changes using the provided token. Running 'npm ci' and 'npx' may execute lifecycle scripts or fetch/run code from npm or the repo itself — meaning arbitrary repo-supplied code could run on the host. The skill also embeds the token in the clone URL and performs write operations (create branch, commit, push, open PR). These behaviors go beyond passive triage and carry execution and write risks.

✓ Install Mechanism

There is no external download/install spec; the package includes normal Node.js files and a package.json with standard dependencies (@octokit/rest, node-cron, dotenv). No arbitrary remote archive downloads or URL shorteners are used.

⚠ Credentials

Asking for a GitHub token is proportionate to triage and push operations, but the token is not declared in metadata and the code expects additional env vars (GIT_AUTHOR_NAME / GIT_AUTHOR_EMAIL) for commits. The skill requires a token with sufficient repo permissions (likely write access) which is powerful; the metadata should declare this and users should be advised to use least-privilege tokens. The skill also places the token into HTTPS clone URLs which can expose it in logs or git metadata if not handled carefully.

ℹ Persistence & Privilege

The skill does not request 'always: true' and does not modify other skills. It can run autonomously (default model invocation allowed), which combined with an over-privileged GH token increases blast radius — but autonomous invocation alone is expected for skills.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install gh-triage
安装完成后，直接呼叫该 Skill 的名称或使用 /gh-triage 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v0.1.0

Initial release: GitHub issues/PR triage automation.

元数据

Slug gh-triage

版本 0.1.0

许可证 —

累计安装 0

当前安装数 0

历史版本数 1

常见问题

GH Triage 是什么？

Automatically scans GitHub repos to label, comment, assign, and fix issues and PRs for efficient triage and reporting. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件，目前累计下载 385 次。

如何安装 GH Triage？

在 OpenClaw 或 Claude Code 对话框中运行命令「/install gh-triage」即可一键安装，无需额外配置。

GH Triage 是免费的吗？

是的，GH Triage 完全免费（开源免费），可自由下载、安装和使用。

GH Triage 支持哪些平台？

GH Triage 跨平台运行，可在任意部署了 OpenClaw / Claude Code 的环境中使用（cross-platform）。

谁开发了 GH Triage？

由 gruted（@gruted）开发并维护，当前版本 v0.1.0。