ClawHub

Github Tools

v1.0.1

Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.

0· 281·2 current·2 all-time
byzhangzhifeng@164149043
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description (GitHub `gh` CLI helper) matches the SKILL.md instructions (examples for `gh pr`, `gh run`, `gh api`, etc.). The skill does not request unrelated binaries or credentials.
Instruction Scope
The instructions are limited to invoking `gh` commands with --repo or URLs and using --json/--jq for output. They do not instruct reading arbitrary files, accessing unrelated environment variables, or transmitting data to external endpoints outside of GitHub.
Install Mechanism
No install spec or code is included (instruction-only), so nothing is written to disk by the skill itself. Risk from installation is minimal — the user must have the `gh` CLI available separately.
Credentials
The skill declares no required environment variables or credentials. This is proportionate: `gh` itself requires authentication but that is managed outside the skill (e.g., `gh auth`).
Persistence & Privilege
always:false (not force-included). disable-model-invocation is false (normal), so the agent could call the skill autonomously — expected for skills. There is no request to modify other skills or system-wide config.
Assessment
This skill is a set of `gh` CLI usage examples and is coherent with its stated purpose. Before installing/using it: (1) ensure the `gh` CLI is installed and you understand which GitHub account is authenticated (the skill does not provide or require credentials but will use whatever `gh` is configured with), (2) be aware that if you let the agent invoke the skill autonomously it can run any `gh` command allowed by that account (including reading or modifying repositories), and (3) verify repository names and permissions to avoid accidental changes to sensitive org repos. Note: the registry metadata ownerId differs slightly from the _meta.json ownerId in the package — this is a minor inconsistency to be aware of but does not change the functional assessment.

Like a lobster shell, security has layers — review code before you run it.

latestvk97cxkx2sxdrymqe8sd9dpkbvn833yex

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments