技能详情(站内镜像,无评论)
许可证:MIT-0
MIT-0 ·免费使用、修改和重新分发。无需归因。
版本:v1.0.0
统计:⭐ 0 · 827 · 9 current installs · 9 all-time installs
⭐ 0
安装量(当前) 9
🛡 VirusTotal :可疑 · OpenClaw :可疑
Package:autogame-17/auto-pr-merger
安全扫描(ClawHub)
- VirusTotal :可疑
- OpenClaw :可疑
OpenClaw 评估
The skill implements the promised workflow but contains undisclosed LLM integration that searches .env files for GEMINI_API_KEY and sends repo file contents/conflict text to an external Gemini API — a potential secret/code exfiltration risk and an inconsistency with the SKILL.md/metadata.
目的
The code implements checkout, test, fix, and merge behavior that matches the description. However, it also includes automatic calls to an external LLM (Gemini) for conflict resolution and fixes. The registry metadata declares no required credentials or primaryEnv, yet the code requires GEMINI_API_KEY to function. The skill's outward description (SKILL.md) mentions 'placeholder/mock fix logic' but the code performs real LLM-based fixes — a mism…
说明范围
SKILL.md instructs use of gh CLI and Node and describes the high-level workflow, but omits that failing-file contents and files with merge conflict markers are sent to a remote LLM. The runtime code reads repository files and will transmit their contents (and any text from .env it finds) to the Gemini API. This is scope creep relative to the SKILL.md disclosure and can leak sensitive code/credentials.
安装机制
No install script or external downloads are present; the package is instruction + a small Node script with a single dependency (minimist). There is no high-risk installer or remote archive extraction.
证书
The skill attempts to obtain GEMINI_API_KEY from process.env or by searching .env files in the workspace and parent directories — but the registry metadata lists no required env vars. Reading .env files outside the repository root increases the chance of exposing unrelated secrets. The skill will include repository source and conflicted file contents in requests to the external LLM, which is disproportionate unless the user knowingly provides …
持久
The skill performs privileged Git operations (commit, push, merge, delete branch) via the authenticated gh/git client. It does not request always:true or modify other skills. The ability to push/merge is expected for a PR merger tool, but combined with undeclared external network calls and secret access this raises practical risk: a compromised/buggy run could push undesired changes or leak data.
安装(复制给龙虾 AI)
将下方整段复制到龙虾中文库对话中,由龙虾按 SKILL.md 完成安装。
请把本段交给龙虾中文库(龙虾 AI)执行:为本机安装 OpenClaw 技能「Auto Pr Merger」。简介:Automatically checks out a GitHub PR, runs tests, retries fixes if tests fail, …。
请 fetch 以下地址读取 SKILL.md 并按文档完成安装:https://raw.githubusercontent.com/openclaw/skills/refs/heads/main/skills/autogame-17/auto-pr-merger/SKILL.md
(来源:yingzhi8.cn 技能库)SKILL.md
# Auto PR Merger Skill
This skill automates the workflow of checking out a GitHub PR, running tests, attempting to fix failures, and merging if successful.
## Usage
```bash
node skills/auto-pr-merger/index.js --pr <PR_NUMBER_OR_URL> --test "<TEST_COMMAND>" [--retries <NUMBER>]
```
## Arguments
- `--pr`: The PR number or URL (e.g., `123` or `https://github.com/owner/repo/pull/123`).
- `--test`: The command to run tests (e.g., `npm test`, `pytest`).
- `--retries`: (Optional) Number of times to attempt fixing the code if tests fail. Default: 3.
## Requirements
- `gh` CLI installed and authenticated.
- Node.js environment.
## Logic
1. Checks out the PR using `gh pr checkout`.
2. Runs the specified test command.
3. If tests fail:
* Reads the output.
* Attempts a fix (Currently a placeholder/mock fix logic).
* Commits and pushes the fix.
* Retries the test command.
4. If tests pass:
* Merges the PR using `gh pr merge --merge --auto`.