← 返回 Skills 市场
OSS Contributor
作者
Kevin Bolander
· GitHub ↗
· v1.0.0
411
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install oss-contributor
功能描述
Discover and resolve open source GitHub issues across community repos during idle time. Finds good-first-issue/help-wanted/documentation issues, forks repos,...
安全使用建议
This skill mostly does what it says, but pause before installing. 1) Only provide a GH_TOKEN with the minimal scopes needed (create forks/PRs) — do not hand over a full personal access token unless you understand the scopes; consider creating a dedicated token for this skill. 2) The SKILL.md uses jq but jq is not declared as required — either install jq or update the skill; otherwise the skill may fail. 3) The --notify-channel option implies sending messages (Telegram) but no bot token or webhook env var is declared — ask the author how notifications are authenticated and what env vars are needed. 4) Review and be comfortable with the skill reading/writing files at $HOME/clawd/*. Use --dry-run and a low --limit first, and consider running with a test GitHub account or a token scoped to only public repos. 5) If you need higher confidence, ask the publisher for (a) explicit list of required binaries, (b) minimal GH_TOKEN scopes, and (c) details on external notification configuration (what env vars or webhooks it will use).
功能分析
Type: OpenClaw Skill
Name: oss-contributor
Version: 1.0.0
The skill is designed to automate open-source contributions, but it contains a significant vulnerability. In Phase 5, the sub-agent is instructed to clone arbitrary GitHub repositories and then 'Run tests' within those cloned repositories. This creates a Remote Code Execution (RCE) risk, as a malicious actor could craft a repository with harmful scripts disguised as tests, which the agent would then execute. While the skill's overall intent appears benign, this RCE vector makes it suspicious. Other actions, such as accessing the GH_TOKEN from `~/.openclaw/openclaw.json` and using `curl` for GitHub API calls, are sensitive but align with the skill's stated purpose.
能力评估
Purpose & Capability
Name/description (discover/triage/fix GitHub issues and open PRs) align with the instructions: the SKILL.md uses the GitHub REST API, forks/repos/PR workflow, and requires curl + git. Requesting GH_TOKEN as the primary credential is expected for acting on a user's behalf.
Instruction Scope
The runtime instructions read and write local state ($HOME/clawd/oss-contributor.json, $HOME/clawd/memory/oss-activity.json, $HOME/clawd/memory/oss-history.json) and perform actions on GitHub (create forks/PRs). Those actions are within the declared purpose, but the SKILL.md explicitly uses the `jq` tool in examples (e.g., parsing /user output) yet jq is not listed as a required binary. The skill also exposes a --notify-channel flag (Telegram) but does not declare any required environment variable for a Telegram bot/token — this is an undeclared external-sending capability. These mismatches need clarification.
Install Mechanism
Instruction-only skill with no install spec and no code files: lowest installation risk. It doesn't download or write installer artifacts beyond using existing binaries and workspace files.
Credentials
Only GH_TOKEN is declared as the primary credential — appropriate for GitHub operations — but the SKILL.md will need a token with privileges to fork, create branches, push commits, and open PRs (likely repo and possibly workflow scopes). The skill does not document the minimum token scopes to limit risk. Additionally, the potential Telegram notification feature implies a missing credential (bot token) which is not declared; this is an unexplained request for external network communication capability.
Persistence & Privilege
always:false and user-invocable:true (normal). The skill stores activity/history under $HOME/clawd which is within the user's workspace; it does not request always-on privilege or modify other skills. Autonomous invocation is enabled by default (disable-model-invocation:false), which is normal for skills but means the skill could act without interactive approval if --auto/--yes flags are used.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install oss-contributor - 安装完成后,直接呼叫该 Skill 的名称或使用
/oss-contributor触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release: discover and resolve open source GitHub issues during agent idle time. Fork, fix, PR workflow with mandatory AI disclosure, repo PR template support, daily limits, and etiquette rules.
元数据
常见问题
OSS Contributor 是什么?
Discover and resolve open source GitHub issues across community repos during idle time. Finds good-first-issue/help-wanted/documentation issues, forks repos,... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 411 次。
如何安装 OSS Contributor?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install oss-contributor」即可一键安装,无需额外配置。
OSS Contributor 是免费的吗?
是的,OSS Contributor 完全免费(开源免费),可自由下载、安装和使用。
OSS Contributor 支持哪些平台?
OSS Contributor 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 OSS Contributor?
由 Kevin Bolander(@kbo4sho)开发并维护,当前版本 v1.0.0。
推荐 Skills