issue-to-pr — Automatically fix GitHub issues end-to-end: reads the issue, analyzes repository code, implements a fix, and submits a pull request. Use when t...
Security Analysis
medium confidenceThe skill's behavior (cloning repos, editing code, running tests, and creating PRs) matches its description, but there are several minor/informational inconsistencies and undeclared dependencies you should review before installing.
The skill's stated purpose (automatically read an issue, modify code, and open a PR) is coherent with the runtime instructions (git/clone, analyze repo, commit, push, create PR). However the registry metadata does not declare required binaries (git, gh) or the fallback tool 'fetch_content' referenced in SKILL.md — a mismatch between declared requirements and what the skill actually needs.
SKILL.md explicitly instructs the agent to run git and gh commands, clone repositories, inspect local git remotes, scan and modify repository files, run tests/lint, and push/fork remotes. Those actions are appropriate for this skill's purpose, but the document references an external helper 'fetch_content' (web-scraping fallback) that is not included or explained and could expand the runtime surface if present.
There is no remote install spec; the included scripts/install.sh is a simple local installer that copies SKILL.md into ~/.qoder/skills and performs only local filesystem operations. It only contacts GitHub for git clone operations. The installer itself appears low-risk.
The skill declares no required environment variables, which is consistent with the provided installer. However runtime behavior relies on the user's git and GitHub CLI authentication (gh) to fetch issues and create forks/PRs — implicit access to your GitHub account is expected but not explicitly documented in the registry metadata. 'fetch_content' is an undeclared external dependency.
The skill is not marked always:true and does not request agent-wide privileges. The installer writes only to ~/.qoder/skills/issue-to-pr, which is a reasonable local install location and limited in scope.
Guidance
This skill generally does what it says (it needs to clone repos, inspect files, run tests, and push branches/PRs using your GitHub credentials). Before installing or invoking it: (1) verify you have git and optionally the GitHub CLI (gh) installed — SKILL.md assumes these, though the registry metadata doesn't list them; (2) understand it will use your existing gh authentication to fork/push/create PRs (it claims to require explicit approval before submitting PRs, but review prompts in practice); (3) confirm what 'fetch_content' refers to or provide a safe fallback — the SKILL.md references it but it isn't included; (4) inspect SKILL.md and scripts locally and consider testing on a personal or read-only repository first; (5) avoid running it in sensitive repos where automatic code changes would be problematic. If you need higher assurance, request the author to update registry metadata to declare required binaries (git, gh) and document fallback tools and exact user-confirmation prompts.
Latest Release
v1.3.0
**Summary: Adds robust issue reference parsing and fork/branch management for better multi-repo support.** - Supports new input formats for issue references: full URLs, owner/repo#number, and issue numbers (with git context). - Automatically forks the repository if the user lacks push access, and manages remotes accordingly. - Detects if the fix branch already exists and prompts for reuse, recreation, or renaming to avoid accidental overwrites. - Improves default branch detection using both GitHub API and git, with fallbacks. - Adds scope and monorepo detection steps before implementation.
More by @4ydx3906
Published by @4ydx3906 on ClawHub
