← 返回 Skills 市场
3191
总下载
0
收藏
13
当前安装
1
版本数
在 OpenClaw 中安装
/install pr-commit-workflow
功能描述
This skill should be used when creating commits or pull requests, enforcing a human-written PR structure, intent capture, and evidence in agentic workflows.
安全使用建议
This skill aims to produce high-quality, auditable PRs, but it requires collecting and embedding 'full prompt history' and environment metadata into PR bodies — data that often contains sensitive info (API keys, passwords, private prompts). Before installing, consider: 1) Do you ever store secrets or private data in prompts or agent logs? If yes, do NOT enable automatic inclusion of full prompt history. 2) The skill expects to run gh/git commands but doesn't declare those binaries — ensure gh is installed and that you trust the skill to run it. 3) The provided scripts read many environment variables and look for local agent files; review scripts/build_pr_body.sh locally to see exactly what will be collected. 4) Ask the maintainer (or modify locally) to: a) require explicit user consent before collecting/publishing prompt history or environment metadata; b) make redaction rules strict and automatic (remove credentials, tokens, secrets) rather than leaving redaction to the agent's discretion; c) add an option to include only metadata (harness/model) rather than full prompts; d) declare required binaries (gh, git) in metadata. 5) If you want to use this skill but restrict risk: disable autonomous invocation for it, require a human confirmation step before any collection/publish, and test the build_pr_body.sh script in a sandbox to confirm it doesn't reveal anything you consider private. If these mitigations cannot be implemented, treat the skill as unsafe for repositories where prompt history or environment metadata may include secrets.
功能分析
Type: OpenClaw Skill
Name: pr-commit-workflow
Version: 1.0.0
The skill is classified as suspicious due to the execution of a shell script (`scripts/build_pr_body.sh`) that reads various environment variables and system information, and the instruction in `references/workflow-commit.md` to potentially execute an arbitrary local 'committer script' if present in the repository. While these actions are plausibly aligned with the stated purpose of collecting environment metadata for auditability and adapting to repo-specific tooling, they represent high-risk capabilities (shell execution, reading environment variables, executing external scripts) without clear malicious intent, thus warranting a 'suspicious' classification.
能力评估
Purpose & Capability
The stated purpose (enforcing human-written PR intent and structured commits) generally matches the files and templates provided. However the skill implicitly assumes tooling (gh, git) and access to agent prompt logs/history/search tools (cm/cass, Codex logs) that are not declared in the skill metadata. Asking agents to read local agent logs and environment metadata is broader than a minimal PR-helper and should be justified explicitly.
Instruction Scope
SKILL.md and references require inclusion of the full prompt history verbatim and environment metadata in every PR, and they instruct use of agent history search tools and a helper script to collect environment fields. That creates a high risk of leaking sensitive prompt contents or secrets. The instructions also direct use of gh commands and /tmp for draft bodies but the skill metadata does not declare these runtime requirements. The redaction guidance ('redact only the sensitive portion') leaves too much discretion to the agent.
Install Mechanism
No install spec is present and the skill is instruction-first with a small local script. From an install mechanism viewpoint this is low risk (nothing to download/run beyond the provided script).
Credentials
The skill declares no required env vars, but scripts/readme reference and the included script will read a variety of environment variables (AGENT_HARNESS, CODEX_MODEL, OPENAI_MODEL, ANTHROPIC_MODEL, CURSOR_MODEL, LLM_MODEL, THINKING_LEVEL, terminal/version, etc.) and check for local directories under $HOME. This mismatch (declaring none but reading many) is disproportionate and may reveal sensitive info about models, harnesses, or other local artifacts. The skill also encourages including full prompt entries, which may contain secrets or private data.
Persistence & Privilege
The skill is not force-included (always=false) and does not request special persistence, but it is invocable and (by default) can be invoked autonomously by the agent. Combined with the instruction to gather and embed prompt histories and environment metadata, autonomous invocation increases the blast radius for accidental or automated exfiltration. The skill does not require explicit confirmation steps for harvesting or publishing prompt history.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install pr-commit-workflow - 安装完成后,直接呼叫该 Skill 的名称或使用
/pr-commit-workflow触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release: High-signal PR and commit workflows for agentic AI coding
元数据
常见问题
PR + Commit Workflow 是什么?
This skill should be used when creating commits or pull requests, enforcing a human-written PR structure, intent capture, and evidence in agentic workflows. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 3191 次。
如何安装 PR + Commit Workflow?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install pr-commit-workflow」即可一键安装,无需额外配置。
PR + Commit Workflow 是免费的吗?
是的,PR + Commit Workflow 完全免费(开源免费),可自由下载、安装和使用。
PR + Commit Workflow 支持哪些平台?
PR + Commit Workflow 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 PR + Commit Workflow?
由 joshp123(@joshp123)开发并维护,当前版本 v1.0.0。
推荐 Skills