Open Source Contributor

Autonomously scouts GitHub for beginner issues, writes fixes by complexity, tests, and submits PRs while enforcing safety and approval thresholds.

Key things to consider before installing: - Source and provenance: the skill's repository and owner are not a known, trusted maintainer. Review the code yourself (especially setup.py and any code that would actually push PRs) before running any install steps. - Credentials: this skill needs a GitHub Personal Access Token (the code expects GITHUB_TOKEN / setup input). Use a dedicated token with only public_repo scope and rotate it after testing. Do NOT reuse a personal token that has broader scopes. - Token storage: setup.py will save the token into ~/.openclaw/workspace/contrib-scout/config.json in plain text. If you prefer not to persist the token, skip running setup.py interactive steps and set GITHUB_TOKEN as an environment variable for the session or modify the code to avoid writing the token to disk. - Data exposure: the Coder subagent is configured to use qwen3-coder-next:cloud. That means repository files and issue text will be sent to an external cloud model. If repositories contain sensitive data (even in history), do not use the cloud coder — either run in human-review mode only or modify the pipeline to use a local model. - Autonomy: start in the 'Approval-First' or manual mode. Do initial dry runs and review the first several drafted PRs before enabling auto-submit. The safety docs recommend this; follow it. - Implementation gaps: the pipeline prepares tasks and subagent calls but the Submitter steps are not fully implemented (no concrete GitHub API calls present). Expect you may need to add or inspect the code that actually opens PRs to confirm it behaves as you want. Actions to reduce risk: - Run the pipeline locally in dry-run/manual mode and inspect all generated drafts and logs before any network operations. - Use a throwaway or secondary GitHub account/token for initial testing so any accidental commits won't affect your main account. - Inspect/modify the code to avoid persisting tokens and to avoid sending repo contents to external models if that is a concern. If the author updates the registry metadata to declare the GITHUB_TOKEN requirement, documents where and how repo data is sent to external services, and either implements PR submission with explicit safe handling or offers a local-model option, my confidence in this being coherent/safe would increase.

Type: OpenClaw Skill Name: open-source-contributor Version: 1.0.0 The skill bundle is designed for autonomous GitHub contributions, which involves high-risk operations such as cloning external repositories and executing their test suites (e.g., pytest, npm test), creating a potential Remote Code Execution (RCE) vector. It also collects and stores GitHub Personal Access Tokens in a local configuration file (~/.openclaw/workspace/contrib-scout/config.json) via scripts/setup.py. While the bundle includes extensive safety guardrails—such as graduated complexity levels, blocked file patterns for sensitive data (auth, crypto, secrets), and an auto-pause feature based on PR rejection rates—the inherent risks associated with automated code execution and credential handling align with the 'suspicious' classification for risky capabilities.