← 返回 Skills 市场
Pylinter Assist
作者
Clay Graham
· GitHub ↗
· v0.6.3
· MIT-0
172
总下载
0
收藏
0
当前安装
10
版本数
在 OpenClaw 中安装
/install pylinter-assist
功能描述
Provides context-aware Python linting with pattern-based heuristics for reviewing GitHub pull requests.
安全使用建议
This skill appears to do what it says: lint PRs, run pattern checks, post comments, and optionally monitor GitHub Actions and send notifications. Before installing:
- Review and pin the exact .github/workflows/lint-pr.yml you add to your repo; workflows run with repo permissions and can read secrets. Do not copy from an unfrozen branch without inspection.
- Use a dedicated GITHUB_TOKEN with the minimal scopes required (avoid using a broad personal token). Avoid passing tokens on the command line; prefer environment variables.
- Install and run inside a Python virtual environment (the docs recommend venv/pyenv).
- If you enable notifications, provide bot/webhook tokens via environment/config (not via visible CLI args) to avoid exposure in process listings or logs.
- The package appears to be source-distributed and contains code for network calls and subprocesses (pylint/git). Test in an isolated environment (or non-production repo) first.
- Small inconsistencies (version mismatch, repository owner metadata) look like bookkeeping issues; if provenance matters to you, verify the upstream repository and commit SHA before using the workflow in production.
功能分析
Type: OpenClaw Skill
Name: pylinter-assist
Version: 0.6.3
The skill is a Python linting utility that integrates with GitHub Actions and includes a monitoring feature for workflow artifacts. It contains a potential 'Zip Slip' vulnerability in 'pylinter_assist/github_actions.py' where it uses 'zipfile.extractall()' on downloaded artifacts without validating file paths, which could allow arbitrary file writes if a malicious repository is monitored. Additionally, the 'monitor' command in 'pylinter_assist/cli.py' facilitates sending lint reports to external endpoints (Telegram, Discord, Slack) via user-provided webhooks. While these capabilities are aligned with the stated purpose and the documentation includes security warnings, the lack of input sanitization during ZIP extraction and the handling of secrets via CLI arguments meet the criteria for a suspicious classification.
能力评估
Purpose & Capability
The name/description (context-aware Python linting for PRs) matches the included code: CLI, linter orchestration (pylint + pattern checks), GitHub Actions monitoring, and notification hooks. Network access to GitHub and optional notification services (Telegram/Discord) is required for the advertised features and is present in the code. There are minor metadata mismatches (package __version__ is 0.1.0 while registry lists 0.6.3, and the SKILL.md references the GitHub repo 'claytantor/pylinter-assist' while the registry source is listed as unknown) — these are likely bookkeeping issues, not functional misalignment.
Instruction Scope
SKILL.md focuses on creating a venv, installing the package locally (pip install -e .), and adding a reviewed GitHub workflow — all within the stated purpose. It explicitly warns about GitHub Actions and secrets, and does not instruct the agent to read unrelated system files. CLI options and monitor callbacks accept tokens (GITHUB_TOKEN, TELEGRAM_BOT_TOKEN, etc.) which are necessary to post comments, trigger workflows, or send notifications; the docs warn about exposing tokens on the command line.
Install Mechanism
There is no automatic remote install script; installation is manual via pip in a venv (pip install -e .) and optional ClawHub npm CLI for installing the skill snapshot. The SKILL.md explicitly discourages curl|sh and recommends cloning/pinning workflow files. No suspicious remote downloads or archive extraction are specified.
Credentials
The skill does not declare required env vars but reasonably uses common tokens when needed: GITHUB_TOKEN for GitHub API calls/PR comments and optional bot/webhook tokens for notifications. Those credentials are proportional to posting comments, triggering workflows, and sending notifications. The documentation warns about not exposing tokens on the command line and to pin workflow files, which is appropriate.
Persistence & Privilege
`always` is false and the skill is user-invocable; it does not request permanent system-wide privileges or modify other skills. It installs locally into a venv and operates on repository files/workflows when explicitly instructed by the user.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install pylinter-assist - 安装完成后,直接呼叫该 Skill 的名称或使用
/pylinter-assist触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v0.6.3
pylinter-assist v0.6.3 — safer, simpler setup and revised documentation
- Replaced previous remote shell script and `uv` installation instructions with auditable, standard Python setup using pyenv and venv.
- Major overhaul of user documentation: strong emphasis on security, recommending pinning workflow files to reviewed commit SHAs and avoiding `curl | sh`.
- All integration steps now encourage local file review before commit; “copy, don’t curl” workflow for GitHub Actions.
- CLI usage and examples simplified for typical Python developer workflows.
- No code or linting logic changes; update is documentation, security, and beginner experience-focused.
v0.6.2
pylinter-assist 0.6.2
- Updated version and metadata in SKILL.md and pyproject.toml to 0.6.2.
- Minor documentation clean-up and formatting improvements in SKILL.md.
- No functional changes to code or features.
v0.6.0+0
## pylinter-assist 0.6.0+0
- Added security notes advising users to review remote shell scripts and GitHub Actions workflow files before executing or committing them.
- Updated installation and integration instructions to encourage reviewing downloaded files for security, especially workflow files that may access repository secrets.
- Clarified workflow file setup: added guidance to prefer copying from a local, reviewable source and explicitly reviewing before committing.
- Provided additional security context for API commands using GitHub tokens.
- Bumped version to 0.6.0+0 and updated documentation to reflect these changes.
v0.5.1+0
## pylinter-assist 0.5.1+0
- Updated versioning in SKILL.md and pyproject.toml to 0.5.1+0.
- Minor documentation and metadata updates.
- No significant logic or feature changes in this release.
v0.5.0+0
Version 0.5.0+0
- Added `pylinter_assist/github_actions.py` and `pylinter_assist/notifications.py` modules for GitHub Actions and notification functionality.
- Updated CLI and configuration logic (see changes in `pylinter_assist/cli.py` and `pylinter_assist/config.py`).
- Documentation updated in SKILL.md and CLAUDE.md to reflect new features and installation details.
- Package metadata updated in `pyproject.toml`.
- Preparation for improved GitHub workflow integration and outputs.
v0.4.1+0
## pylinter-assist v0.4.1+0
- Added step-by-step instructions for enabling pylinter-assist in a new project, including workflow and config file setup.
- Updated SKILL.md with a dedicated section: "Enabling a New Project for Support."
- Clarified required repository permissions for workflow operation.
- No code or runtime changes—documentation only.
v0.4.0+0
Version 0.4.0+0 summary: Adds detailed installation and troubleshooting instructions, with a focus on CLI usage via virtual environments and tooling.
- Expanded documentation with prerequisites for uv, npm, and ClawHub CLI, plus full setup steps.
- Added multiple installation and usage methods: pip install in venv, uv run, and direct script execution.
- New troubleshooting section for common CLI installation and path issues.
- Restructured README and SKILL.md to guide both skill and CLI setup, ensuring better onboarding for new users.
- No changes to skill core features or runtime logic.
v0.3.0+0
- Major update: Expanded documentation, GitHub workflow integration steps, and feature list.
- Added LICENSE.md and comprehensive README.md for better onboarding.
- Detailed configuration options and available checks now documented in SKILL.md.
- New integration guide for GitHub Actions workflow, covering permissions and setup.
- Enhanced usage instructions, examples, and available output/reporting features.
v0.2.0+0
- No user-facing changes in this version.
- Updated project metadata only.
v0.1.0
- Initial release of pylinter-assist skill.
- Provides context-aware Python linting for PR review with smart pattern heuristics.
- Supports linting PR changes, staged files, unified diffs, and specific file paths.
- Output supports text, JSON, or markdown formats.
- Allows custom linting rule configuration and GitHub PR comment integration.
- Option to fail on warnings as well as errors.
元数据
常见问题
Pylinter Assist 是什么?
Provides context-aware Python linting with pattern-based heuristics for reviewing GitHub pull requests. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 172 次。
如何安装 Pylinter Assist?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install pylinter-assist」即可一键安装,无需额外配置。
Pylinter Assist 是免费的吗?
是的,Pylinter Assist 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Pylinter Assist 支持哪些平台?
Pylinter Assist 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Pylinter Assist?
由 Clay Graham(@claytantor)开发并维护,当前版本 v0.6.3。
推荐 Skills