← 返回 Skills 市场
399
总下载
0
收藏
1
当前安装
2
版本数
在 OpenClaw 中安装
/install skill-github-daily-ops
功能描述
Daily GitHub repo health check + safe Dependabot auto-merge. Outputs markdown report.
安全使用建议
This skill mostly does what it claims (scan repos, report, and merge Dependabot PRs) but has several red flags you should address before using it with real credentials:
- Expect to provide a GitHub PAT with repo write permissions. The registry doesn't declare this, but the scripts will fail without it. Use a token scoped as narrowly as possible (repo:status, pull_request, maybe repo if merging) and prefer an org-scoped machine account if possible.
- The scripts use both GITHUB_TOKEN (node) and GH_TOKEN (bash) and will try to read ~/.github_token. Ensure you know which token will be used and avoid placing high-privilege tokens in a plaintext file unless you intend to.
- The code relies on binaries not declared in the manifest: gh (GitHub CLI), python3, and git (for workspace push). Install these only if you trust the skill.
- The included daily-ops.sh will attempt to push unpushed commits from a configured WORKSPACE (default ~/.openclaw/workspace). If you run that script, it may publish local commits you haven't reviewed. Either remove or audit the 'Push workspace commits' section before running, or set WORKSPACE to a safe path.
- Consider running the scripts in readonly/report-only mode (--report) first, and test auto-merge behavior on a small set of non-critical repos. Review and possibly remove or sandbox any steps that write to remotes (merge, delete-branch, git push).
Given the mismatches and the workspace-push side-effect, treat this skill as 'suspicious' until you fix the declared requirements, unify token handling, and remove or clearly control the workspace push behavior.
功能分析
Type: OpenClaw Skill
Name: skill-github-daily-ops
Version: 1.0.1
The skill is classified as suspicious due to several risky capabilities, even though they align with the stated purpose of GitHub daily operations. Both `scripts/auto-merge.sh` and `scripts/daily-ops.sh` read the highly sensitive `GITHUB_TOKEN` from `~/.github_token`. Additionally, `scripts/daily-ops.sh` performs a `git push` operation on the local workspace, a powerful action that could lead to unauthorized code changes if the agent's environment or the workspace repository were compromised. While these actions are plausibly needed for the skill's functionality, they represent significant attack surfaces and potential vulnerabilities without clear malicious intent.
能力评估
Purpose & Capability
Name/description promise (GitHub health + safe Dependabot auto-merge) aligns with code that lists repos, checks CI, and merges Dependabot PRs — that part is coherent. However the package metadata only declares 'node' as a required binary while the shipped scripts also rely on the GitHub CLI (gh), python3, and git; the registry does not declare the needed GITHUB_TOKEN/GH_TOKEN credential despite the scripts requiring it. These omissions are disproportionate to the stated purpose and reduce transparency.
Instruction Scope
SKILL.md shows running node scripts (report + merge). The included bash scripts (daily-ops.sh) perform extra actions not called out in the top-level docs: they will examine a local WORKSPACE and may git push unpushed commits from that workspace. Pushing local workspace commits is outside the expected scope of a 'repo health report' and can modify remote state beyond merging Dependabot PRs. Also the skill's scripts read ~/.github_token and expect GH_TOKEN/GITHUB_TOKEN — they will access local files and environment for credentials.
Install Mechanism
There is no install spec (instruction-only), so nothing is downloaded or installed automatically. That limits install-time risk. However it still ships runnable scripts that will be executed by the user/agent if invoked.
Credentials
The skill requires a GitHub personal access token in practice, but registry metadata does not declare required env vars. The code uses both GITHUB_TOKEN (daily-ops.js) and GH_TOKEN (bash scripts) and will read ~/.github_token — this mismatch increases risk of accidental credential exposure or misconfiguration. A PAT with repo write/merge permissions is required to auto-merge and to push workspace commits; that level of credential is significant and should be declared and limited.
Persistence & Privilege
always is false and the skill is user-invocable (normal). The particularly concerning behavior is not persistence but side-effects: the bash script can push local workspace commits (git push) which modifies remote repositories and may expose or publish local changes. Autonomous invocation is allowed by default for skills, so if you enable auto-run you should be aware of the side-effecting operations.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install skill-github-daily-ops - 安装完成后,直接呼叫该 Skill 的名称或使用
/skill-github-daily-ops触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.1
- Removed internal documentation file: config/internal.md
- No user-facing functionality changed.
v1.0.0
Initial release of skill-github-daily-ops:
- Generates daily health reports for GitHub repos in markdown format.
- Safely auto-merges Dependabot PRs with only medium/low severity CVEs and passing CI.
- Supports running for all or specific repos via command-line arguments.
- Flexible configuration using environment variables and CLI options.
- Provides cron-ready scripting examples for automation.
元数据
常见问题
Skill Github Daily Ops 是什么?
Daily GitHub repo health check + safe Dependabot auto-merge. Outputs markdown report. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 399 次。
如何安装 Skill Github Daily Ops?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install skill-github-daily-ops」即可一键安装,无需额外配置。
Skill Github Daily Ops 是免费的吗?
是的,Skill Github Daily Ops 完全免费(开源免费),可自由下载、安装和使用。
Skill Github Daily Ops 支持哪些平台?
Skill Github Daily Ops 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Skill Github Daily Ops?
由 Zero2Ai(@zero2ai-hub)开发并维护,当前版本 v1.0.1。
推荐 Skills