← 返回 Skills 市场

tester_skill

Name: tester_skill
Author: tsiontesfayechromaway

作者 tsiontesfayechromaway · GitHub ↗ · v1.0.0

cross-platform ⚠ suspicious

722

总下载

当前安装

版本数

在 OpenClaw 中安装

/install tester

功能描述

Manage GitHub issues by listing, filtering, spawning fix agents, creating PRs, and tracking review comments using the authenticated gh CLI.

安全使用建议

Key things to consider before installing: - The SKILL.md requires the gh CLI and a GitHub token (GITHUB_TOKEN), but the skill metadata does not declare these — confirm the author/source and why metadata omits these requirements. - Understand exactly what spawn_subagent does in your agent environment: will sub-agents push commits, open PRs, or run arbitrary code? Ask for explicit limits and review/approval steps. - If you try it, use a least-privilege token (PAT) scoped only to the repositories needed (avoid using a full user token), and prefer a machine/service account rather than your personal account. - Require manual approval or merge protections in GitHub so PRs opened by the skill cannot be merged automatically without human review. - Ask the publisher for source code or provenance (why is there no homepage/source), and request that the skill metadata be corrected to list required binaries and credentials. - If you cannot verify these points, avoid granting it GitHub credentials or enable model-driven autonomous actions until you have tighter controls.

功能分析

Type: OpenClaw Skill Name: tester Version: 1.0.0 The skill is classified as suspicious due to a significant prompt injection vulnerability pattern identified in `SKILL.md`. The `spawn_subagent` instruction demonstrates passing unsanitized, user-controlled data (GitHub issue `title` and `description`) directly into a sub-agent's `task` string. This allows an attacker to craft malicious issue content to potentially manipulate the sub-agent's behavior. Additionally, the instruction to `export GITHUB_TOKEN` highlights a sensitive secret management practice, which, while necessary for functionality, poses a risk if not handled securely by the agent or user.

能力评估

⚠ Purpose & Capability

The description says it uses the authenticated gh CLI, but the registry metadata lists no required binaries or primary credential. SKILL.md explicitly requires the gh CLI and shows use of a GITHUB_TOKEN. The requested metadata should have declared gh as a required binary and the token as a primary credential or required env var.

ℹ Instruction Scope

Instructions are focused on GitHub issue/PR operations and spawning sub-agents to implement fixes, which matches the stated purpose. However the SKILL.md provides no constraints or guardrails for spawned sub-agents (what they can access, whether they push commits automatically, review/merge policies), leaving broad, underspecified autonomous behavior.

ℹ Install Mechanism

This is an instruction-only skill (no install spec), which is low-risk by itself, but the SKILL.md requires the gh CLI be installed — that dependency is not declared in the registry metadata. The lack of an install spec means nothing will be written by the skill itself, but the runtime dependency mismatch is an inconsistency.

⚠ Credentials

The README suggests using GITHUB_REPO and GITHUB_TOKEN (sensitive) and authenticating via gh auth, but the skill declared no required env vars or primary credential. Sensitive tokens are clearly needed for the described actions; the skill should declare and justify them and recommend least-privilege scopes. As-written, the skill may run with whatever gh credentials are present without documenting required scopes or safeguards.

⚠ Persistence & Privilege

always:false (good), but the skill instructs agents to spawn sub-agents that can implement fixes and create PRs. With model invocation enabled (default), an agent could autonomously create branches/PRs using available credentials. Combined with the undeclared credential dependency and lack of guardrails, this raises privilege and autonomy concerns.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install tester
安装完成后，直接呼叫该 Skill 的名称或使用 /tester 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.0

- Initial release of GitHub Issue Manager skill. - Fetch and filter GitHub issues by labels, milestones, and assignees. - Spawn sub-agents to work on issue fixes. - Create pull requests with automated descriptions. - Track PR review status and handle review comments. - Requires preconfigured and authenticated GitHub CLI (`gh`).

元数据

Slug tester

版本 1.0.0

许可证 —

累计安装 3

当前安装数 3

历史版本数 1

常见问题

tester_skill 是什么？

Manage GitHub issues by listing, filtering, spawning fix agents, creating PRs, and tracking review comments using the authenticated gh CLI. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件，目前累计下载 722 次。

如何安装 tester_skill？

在 OpenClaw 或 Claude Code 对话框中运行命令「/install tester」即可一键安装，无需额外配置。

tester_skill 是免费的吗？

是的，tester_skill 完全免费（开源免费），可自由下载、安装和使用。

tester_skill 支持哪些平台？

tester_skill 跨平台运行，可在任意部署了 OpenClaw / Claude Code 的环境中使用（cross-platform）。

谁开发了 tester_skill？

由 tsiontesfayechromaway（@tsiontesfayechromaway）开发并维护，当前版本 v1.0.0。