📦 PR Description — 智能生成PR描述
v1.1.3基于 git diff 或代码变更,一键输出结构化、高质量的 Pull Request 描述,让代码审查更高效。
1· 116·0 当前·0 累计
by 下载技能包
最后更新
2026/4/7
安全扫描
OpenClaw
可疑
medium confidenceNULL
评估建议
This skill appears to do what it says (generate PR descriptions and optionally update PRs), but it has an important metadata/instruction mismatch: SKILL.md expects git and the GitHub CLI ('gh') and will query your gh authentication, yet the package declares no required binaries or credentials. Before installing or running it, consider:
- Confirm you are comfortable with the agent running local 'git' and 'gh' commands and that your 'gh' is authenticated; those commands will use your GitHub cred...详细分析 ▾
⚠ 用途与能力
The skill claims to fetch diffs and optionally update PRs via the GitHub CLI and local git; that functionality is coherent with a PR-description generator. However, the registry metadata lists no required binaries or environment variables even though the runtime instructions explicitly instruct use of 'gh' and 'git' and to check 'gh' authentication. This mismatch (declared requirements = none vs. instructions requiring CLI tools and authenticated access) is inconsistent and should be clarified.
⚠ 指令范围
SKILL.md instructs the agent to run commands like 'gh pr diff', 'gh pr view --json viewerCanUpdate', 'gh api user', and (with explicit user approval) 'gh pr edit ... --body-file <temp-file>'. These steps are within the stated purpose but involve accessing local CLI tools, checking auth state, writing temp files, and (if approved) modifying remote PRs. The skill correctly warns about not executing code found in diffs and requires user confirmation before editing, but the instructions give the agent broad ability to run local commands and interact with GitHub credentials — behavior that should be explicitly declared in the metadata and presented to the user beforehand.
ℹ 安装机制
This is instruction-only (no install spec), which is low-risk in itself because no new code is written to disk. However, the SKILL.md expects existing tools (git, gh) on PATH; that expectation is not declared in the registry metadata. No external downloads or installs are specified.
⚠ 凭证需求
The skill does not declare any required environment variables or primary credential, yet it instructs the agent to call 'gh' and 'gh api user' and to check viewerCanUpdate, which implicitly uses the user's GitHub authentication (oauth token or local gh auth). That means the skill will rely on credentials accessible to the 'gh' CLI. Because these credentials are not declared or scoped in the metadata, it's unclear what secrets the skill will access and why; this mismatch is a notable risk.
✓ 持久化与权限
always:false and default autonomous invocation are present; no install-time persistence or forced inclusion. The skill does include logic to update PRs only after explicit user approval, which limits privileged actions. There is no evidence it modifies other skills or system-wide settings.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.1.32026/4/2
NULL
● Pending
安装命令
点击复制官方npx clawhub@latest install pr-description
镜像加速npx clawhub@latest install pr-description --registry https://cn.longxiaskill.com