← 返回 Skills 市场
Oneshot Ship
作者
Andrew Wilkinson
· GitHub ↗
· v0.2.1
· MIT-0
403
总下载
0
收藏
0
当前安装
2
版本数
在 OpenClaw 中安装
/install oneshot-ship
功能描述
Ship code with oneshot CLI. One command that plans, executes, reviews, and opens a PR. Runs over SSH or locally. Use when the user wants to ship code changes...
安全使用建议
Key points to consider before installing or running this skill:
- The SKILL.md requests ANTHROPIC_API_KEY, OPENAI_API_KEY, GitHub authentication, and optionally Linear API credentials, but the registry metadata lists none — assume you will need to provide these. Confirm the exact credentials required before proceeding.
- The pipeline will read whole repos and send code and prompts to external LLM services (Anthropic/OpenAI). If your repo contains sensitive information, do NOT run this against private repos unless you trust both the skill source and the LLM providers' data handling.
- The tool stores keys in ~/.oneshot/config.json (plaintext in home directory per the doc). Prefer ephemeral or least-privilege tokens, and avoid long-lived secrets in that file.
- The skill can operate over SSH and execute commands on remote servers. Only provide SSH access to hosts you fully control and audit what commands the oneshot tool will run (use --dry-run first).
- There is no install manifest in the registry; the README suggests installing via bun from a GitHub repo. Verify the upstream repository and its release artifacts before installing any global binary.
- Practical mitigations: run in --dry-run or --local mode first, inspect the prompts and what is sent to LLMs (prompts/*.txt and CLAUDE.md), use limited-scope GitHub PATs, use ephemeral LLM keys, and review ~/.oneshot/config.json and history after runs. If you cannot verify the source code or provenance, treat this skill as untrusted.
功能分析
Type: OpenClaw Skill
Name: oneshot-ship
Version: 0.2.1
The oneshot-ship skill automates a code-shipping pipeline requiring high-privilege access, including SSH, GitHub CLI authentication, and multiple API keys (Anthropic, OpenAI, Linear) stored in `~/.oneshot/config.json`. While the functionality aligns with its stated purpose of automating PRs and code execution, the broad permissions and the handling of sensitive credentials across remote environments represent a significant security risk. The documentation in SKILL.md also references non-existent models (e.g., gpt-5.4-mini), which may indicate unreliable or misleading content.
能力评估
Purpose & Capability
The described functionality (automated plan → implement → review → PR over SSH or locally) is coherent with requiring Git, SSH, and GitHub access and LLM CLIs. However the SKILL.md relies on multiple external CLIs and LLM services (Claude Code CLI, Codex CLI, GitHub CLI) that are not reflected in the registry metadata, which is an inconsistency worth noting.
Instruction Scope
SKILL.md instructs the agent to read entire repositories (and optional CLAUDE.md files), create worktrees, run commands locally or over SSH, and transmit implementation/review tasks to external LLMs (Anthropic and OpenAI). It also directs storing API keys in ~/.oneshot/config.json and may mirror JSONL event logs. These actions involve reading and transmitting potentially sensitive source code and secrets to third-party services and executing commands on remote hosts—behaviors beyond a simple helper and requiring explicit user consent and trust in the skill source.
Install Mechanism
There is no install spec in the registry (skill is instruction-only), yet the README suggests installing via `bun install -g oneshot-ship`. The absence of an authoritative install source / package manifest in the registry means the skill's suggested installation path isn't verified here and should be checked before running.
Credentials
Registry metadata declares no required env vars, but SKILL.md explicitly requires ANTHROPIC_API_KEY and OPENAI_API_KEY, GitHub CLI authentication, and optionally a Linear API key in config. Requiring multiple cross-service credentials (LLM keys, GitHub auth, Linear) is reasonable for the described pipeline but the omission from metadata is a red flag. The skill also asks to persist these secrets in a plaintext config file (~/.oneshot/config.json), which increases risk.
Persistence & Privilege
The skill writes config and history files under the user's home (~/.oneshot/config.json, ~/.oneshot/history.json), creates temporary worktrees, and can run background jobs (--bg). It does not request always:true and does not modify other skills. Persisting API keys and history locally is expected for the tool but is sensitive and should be reviewed.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install oneshot-ship - 安装完成后,直接呼叫该 Skill 的名称或使用
/oneshot-ship触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v0.2.1
- Updated version info and description for clarity and accuracy
- Added new flags: `--deep-review`, `--branch`, and `--events-file`
- Improved pipeline description: now includes a classification step (`fast` or `deep`) and detailed review/finalization process
- Enhanced usage examples and configuration details, including support for deep review and different base branches
- Clarified that local mode works without a config file and worktree remains isolated
v0.0.1
initial release
元数据
常见问题
Oneshot Ship 是什么?
Ship code with oneshot CLI. One command that plans, executes, reviews, and opens a PR. Runs over SSH or locally. Use when the user wants to ship code changes... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 403 次。
如何安装 Oneshot Ship?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install oneshot-ship」即可一键安装,无需额外配置。
Oneshot Ship 是免费的吗?
是的,Oneshot Ship 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Oneshot Ship 支持哪些平台?
Oneshot Ship 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Oneshot Ship?
由 Andrew Wilkinson(@adwilkinson)开发并维护,当前版本 v0.2.1。
推荐 Skills