安全扫描
OpenClaw
安全
high confidenceThe skill's requests and instructions line up with its stated purpose: it uses a MorphixAI proxy to call GitHub via an mx_github tool and only asks for a MorphixAI API key.
评估建议
This skill appears coherent, but take these precautions before installing: 1) Verify the source/trustworthiness of the openclaw-morphixai plugin (no homepage/source provided in the manifest). 2) Limit the MORPHIXAI_API_KEY to the minimal scopes needed (prefer a dedicated service token or read-only scopes where possible). 3) Review what GitHub account is linked via morphix.app and avoid linking high-privilege or org-wide personal accounts. 4) Understand that requests go through MorphixAI (morphix...详细分析 ▾
✓ 用途与能力
Name/description advertise GitHub integration via MorphixAI proxy; the only required environment variable is MORPHIXAI_API_KEY and the SKILL.md explicitly references morphix.app and mx_github/mx_link tools — these are proportionate and expected.
✓ 指令范围
SKILL.md contains only instructions to install the MorphixAI plugin, set the MORPHIXAI_API_KEY, link a GitHub account, and call mx_github actions (list repos, create issues/PRs, trigger workflows). It does not instruct reading unrelated files, other env vars, or transmitting data to unexpected endpoints.
✓ 安装机制
This is an instruction-only skill with no install spec or code files. The doc asks the user to install an OpenClaw plugin (openclaw-morphixai) manually — expected and low risk from this manifest alone.
✓ 凭证需求
Only MORPHIXAI_API_KEY is required, which is consistent with using a MorphixAI proxy. No unrelated secrets or config paths are requested. Note: that API key will be able to perform GitHub actions via the proxy, so its scope and trustworthiness should be considered.
ℹ 持久化与权限
always is false and there are no config path changes. The skill allows normal autonomous invocation (disable-model-invocation: false), which is standard — be aware an autonomously-invoked agent could use the MorphixAI key to access repo data if the key is granted broad scopes.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv0.1.12026/3/6
● 无害
安装命令 点击复制
官方npx clawhub@latest install github-workflow
镜像加速npx clawhub@latest install github-workflow --registry https://cn.clawhub-mirror.com
技能文档
通过 mx_github 工具管理 GitHub 仓库、Issue、PR 和 CI/CD 工作流。
前置条件
- 安装插件:
openclaw plugins install openclaw-morphixai - 获取 API Key: 访问 morphix.app/api-keys 生成
mk_xxxxxx密钥 - 配置环境变量:
export MORPHIXAI_API_KEY="mk_your_key_here" - 链接账号: 访问 morphix.app/connections 链接 GitHub 账号,或通过
mx_link工具链接(app:github)
核心操作
查看当前用户
mx_github:
action: get_user
列出仓库
mx_github:
action: list_repos
sort: "updated"
per_page: 10
查看仓库详情
mx_github:
action: get_repo
repo: "owner/repo-name"
Issue 操作
列出 Issue(不含 PR):
mx_github:
action: list_issues
repo: "owner/repo"
state: "open"
per_page: 10
创建 Issue:
mx_github:
action: create_issue
repo: "owner/repo"
title: "Bug: 登录页面加载异常"
body: "## 问题描述\n登录页面在 Safari 中无法正常加载\n\n## 复现步骤\n1. 打开 Safari\n2. 访问登录页"
labels: ["bug", "frontend"]
assignees: ["username"]
更新 Issue:
mx_github:
action: update_issue
repo: "owner/repo"
issue_number: 42
state: "closed"
Pull Request 操作
列出 PR:
mx_github:
action: list_pulls
repo: "owner/repo"
state: "open"
创建 PR:
mx_github:
action: create_pull
repo: "owner/repo"
title: "feat: 添加用户登录功能"
head: "feature/user-login"
base: "main"
body: "## 改动内容\n- 实现了 JWT 登录\n- 添加了单元测试"
GitHub Actions
查看工作流运行:
mx_github:
action: list_workflow_runs
repo: "owner/repo"
per_page: 5
触发工作流:
mx_github:
action: trigger_workflow
repo: "owner/repo"
workflow_id: "deploy.yml"
ref: "main"
inputs: { "environment": "staging" }
常见工作流
创建 Feature PR
1. mx_github: create_pull
repo: "owner/repo", title: "feat: xxx", head: "feature/xxx", base: "main"
- mx_github: list_workflow_runs → 检查 CI 状态
查看项目 Issue 和 PR 概况
1. mx_github: list_issues, repo: "owner/repo", state: "open"
- mx_github: list_pulls, repo: "owner/repo", state: "open"
注意事项
repo参数格式为"owner/repo"(如"paul-leo/mini-tanka")list_issues自动过滤掉 PR(GitHub API 的 /issues 端点会返回 PR)trigger_workflow需要仓库有对应的 workflow 文件和workflow_dispatch触发器account_id参数通常省略,工具自动检测已链接的 GitHub 账号
数据来源:ClawHub ↗ · 中文优化:龙虾技能库
OpenClaw 技能定制 / 插件定制 / 私有工作流定制
免费技能或插件可能存在安全风险,如需更匹配、更安全的方案,建议联系付费定制