ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

OpenClaw Copilot CLI Wrapper

v1.0.0

Run GitHub Copilot CLI via exec to generate code, edit files, or automate shell tasks using advanced AI models like Claude or GPT-5.

0· 424·0 current·0 all-time
by@binotaliu

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for binotaliu/openclaw-copilot-cli.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "OpenClaw Copilot CLI Wrapper" (binotaliu/openclaw-copilot-cli) from ClawHub.
Skill page: https://clawhub.ai/binotaliu/openclaw-copilot-cli
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Canonical install target

openclaw skills install binotaliu/openclaw-copilot-cli

ClawHub CLI

Package manager switcher

npx clawhub@latest install openclaw-copilot-cli
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the instructions: the SKILL.md only documents invoking the GitHub Copilot CLI, installing via npm/brew, and authenticating via GitHub. There are no unrelated required env vars, binaries, or config paths declared.
!
Instruction Scope
The instructions explicitly recommend flags and modes that grant the Copilot process broad access (e.g., --allow-all / --yolo), run it interactively via PTY and use process send-keys, and reference auto-loading of AGENTS.md and logs at ~/.copilot/logs. Those steps can cause the CLI to read local files, session state, or upload workspace content to external services — behavior beyond merely generating text and therefore a potential data-exfiltration/privacy risk.
Install Mechanism
No install spec baked into the skill (instruction-only). The README-style instructions point to npm or Homebrew official installs for @github/copilot, which are standard installation routes and not itself suspicious.
Credentials
The skill declares no required env vars or credentials, which is proportionate. However, runtime use requires a GitHub login/Copilot subscription (interactive OAuth/token storage), and the recommended flags may cause local files or credentials to be accessed or transmitted by the Copilot service. The SKILL.md does not request unrelated credentials, but it implicitly relies on GitHub auth and local stored tokens.
Persistence & Privilege
always:false and no requests to modify other skills — that's appropriate. But allow-list flags and interactive automation combined with the platform-default ability for agents to invoke skills autonomously increase potential blast radius if the agent is permitted to call this skill without human oversight.
What to consider before installing
This skill is coherent with its stated purpose (wrapping the GitHub Copilot CLI) but it instructs you to run Copilot with flags and modes that can access and transmit local files and session data. Before installing/use: 1) Only install the copilot binary from official sources (npm/@github or Homebrew). 2) Avoid using --allow-all / --yolo unless you understand and accept that Copilot may access local files, URLs, and system tools. 3) Be cautious about AGENTS.md auto-loading and session outputs (session.md, ~/.copilot/logs) — these can contain workspace content; review them and store them securely. 4) Consider running Copilot in a sandbox/container or a copy of the workspace with sensitive data removed. 5) If you enable autonomous agent invocation, restrict when and how this skill can be called (or require explicit user confirmation) because the combination of autonomous calls + broad flags increases exposure risk. If you want, I can suggest safer invocation flags and a minimal test workflow to verify behavior in a controlled environment.

Like a lobster shell, security has layers — review code before you run it.

latestvk97arbhfe3qfyyha2bd9rqj1rn828mhc
424downloads
0stars
1versions
Updated 13h ago
v1.0.0
MIT-0
@binotaliu
latest
Download

copilot-cli

Description

Execute GitHub Copilot CLI via exec for code gen, file edits, shell tasks using advanced models (Claude/GPT-5). Use when needing Copilot-powered coding/automation.

Installation

npm install -g @github/copilot

or on macOS:

brew install copilot-cli

Verify:

copilot --help

Authentication

  1. Run copilot (interactive mode).
  2. Type /login and follow prompts (uses GitHub account, requires Copilot subscription).

For non-interactive use after auth.

Usage

Non-interactive (one-shot prompts)

copilot -p \"Your prompt here\" --allow-all --silent
  • --allow-all: Enables all tools/paths/URLs (use --yolo for short).
  • --silent: Outputs only agent response.
  • --model claude-sonnet-4.6 or gpt-5.2 etc. to choose model.

In OpenClaw exec:

exec:
  command: copilot -p 'Generate a Python script to...' --allow-all --silent

Interactive

exec:
  command: copilot
  pty: true

Then use process tool:

  • send-keys: Send input like ['prompt text', 'Enter']
  • log: View output

Examples

Shell task

copilot -p 'List all .js files and summarize' --allow-all

Code generation

copilot -p 'Create a simple Express server in Node.js' --allow-all --silent

File edits

copilot -p 'Add error handling to main.js' --allow-all

Advanced models

copilot -p '...' --model gpt-5.3-codex --allow-all

Test

Tested: Generated hello_world.sh:

#!/bin/bash
echo \"Hello, World!\"

Solana NFT mint test started successfully (complex task running).

Tips

  • Custom instructions from AGENTS.md auto-loaded.
  • Use --no-custom-instructions if needed.
  • For scripting: --share to output session.md
  • Logs: ~/.copilot/logs/

Comments

Loading comments...