gh-issues — GitHub Issue Orchestrator

Trust Score 71/100

Orchestrates fetching GitHub issues, spawning fix & review sub-agents to open PRs and address review comments, with cron and watch modes for automation.

triggers:issuespull requestspawnsub-agentcronwatchreview commentsgh-token

GitHub SKILL.md

What it does

gh-issues is an orchestration skill that fetches GitHub issues, runs pre-flight checks, and spawns parallel sub-agents to implement fixes and open pull requests. It also monitors PR review comments and can spawn review-fix agents to address feedback. The skill supports interactive confirm flows, cron-safe single-issue spawning, and watch mode for continuous polling. All GitHub operations are performed via curl+REST (no gh CLI).

When to use it

Use gh-issues when you want automated handling of GitHub issues: triage, auto-fix routine bugs, continuously process a backlog with cron, or respond to review comments automatically. It's suited for maintainers who want to reduce manual PR creation for straightforward fixes and for automation pipelines that integrate agent-based code fixes.

What's included

Scripts: none embedded, but the SKILL.md includes detailed phases and curl-based API examples for token resolution, issue/PR queries, and comment posting
References: extensive procedural guidance covering argument parsing, token handling, pre-flight checks, claims/cursor files for cron safety, spawning sub-agents, and review-handling logic
Instructions: full six-phase orchestration plan with spawn templates for fix and review sub-agents and explicit constraints (no gh CLI, use curl, 60-minute timeouts)

Compatible agents

Designed for OpenClaw-style agents and sub-agents that can run shell commands and sessions_spawn. Works well with agents capable of git/curl operations and parallel sub-agent orchestration (e.g., Cursor, Claude Code-like orchestrators).

Audit Summary

gh-issues is a comprehensive GitHub issue orchestration skill that fetches issues, spawns sub-agents to implement fixes, and monitors PR review comments. It uses curl + GitHub REST API exclusively (no gh CLI). The skill_md is thorough with 6 well-defined phases, argument parsing, fork mode, cron mode, watch mode, and claim-based deduplication. No bundled scripts to test.

Watch Out

GH_TOKEN is read from ~/.openclaw/openclaw.json or /data/.clawdbot/openclaw.json — requires config setup before use
Token is embedded in git remote URLs (x-access-token:$GH_TOKEN@github.com) which could leak via git remote -v
Sub-agent prompts instruct disabling credential.helper globally (git config --global credential.helper "") which affects the user's global git config
The skill is very long (~4500 words in SKILL.md) which consumes significant context window

Notes

Security deductions: -12 for shell injection risk (unquoted variables in curl commands like {SOURCE_REPO}, {title}, {body} in JSON templates), -15 for credential exposure (token in git remote URLs visible via git remote -v), -8 for global git config modification (credential.helper cleared globally), -3 for jq string interpolation without sanitization. The skill is well-structured and genuinely useful but the security model relies on the agent executing commands in a controlled environment. No evidence of malicious intent. No curl|bash, no hardcoded credentials, no data exfiltration, no auto-update mechanisms. The skill uses proper GitHub API auth patterns. Architecture is strong with clear phase separation, though the monolithic SKILL.md could benefit from splitting scripts/ references.

Information

Repository: fufan-vibecodingcourse
Stars: 41
Installs: 0

Trust Score

Overall71

Security62

Code Quality80

Architecture78

Usefulness85

Related Skills

Development Worktree

Create an isolated git worktree for feature work, auto-run project setup, and verify a clean test baseline before development.

ds-fix — data-science mid-analysis fixer

Orchestrates diagnosis and targeted fixes mid-analysis: diagnose root cause, apply fixes with output-first verification, and update project learnings.

Readwise Reader Document Management

Manage Readwise Reader documents: list, save, search, move, tag, highlight, export and bulk-edit via official and custom CLIs.

Bounty Hunter — Atlas

Persona skill: 'Atlas' — a profit-focused developer persona for discovering, evaluating and executing paid bounties or freelance tasks with ROI-aware workflows.

Full Stack Builder

End-to-end builder that scaffolds, implements, tests, and optionally deploys web and API applications from a natural-language specification.

ezBookkeeping API Tools

Command-line API tools for ezBookkeeping: record and query transactions, retrieve accounts/categories/tags, and fetch exchange rates for self-hosted personal fi

Feishu Voice Sender

Convert MP3s and send them as native Feishu voice messages (playable voice clips) to users or groups.

StateTree Behavior

Tools to create, inspect, and edit Unreal Engine StateTree assets (hierarchical state machines) and Blueprint task workflows.

Back to Skills