Repo Research
v0.7.0GitHub 仓库深度研究与整合分析工具。支持单个/多个仓库研究、与本地项目对比分析、启发式整合建议。支持主题驱动搜索模式:自动搜索相关仓库、克隆、分析并生成报告。克隆远程仓库到本地 research/ 目录,进行深度代码分析、架构评估、依赖解析,并生成结构化研究报告。触发条件:用户提供 GitHub URL 请...
⭐ 0· 104·1 current·1 all-time
byxierluo@cat-xierluo
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description match the code and instructions: it clones GitHub repos, analyzes code, and produces reports. However the SKILL.md assumes runtimes/commands (git, python3, /skill-manager, /find-skills) that are not declared in the skill's required binaries list — a small coherence gap: the skill will realistically require git and Python to be present.
Instruction Scope
Runtime instructions explicitly clone remote repositories into an output directory and read repository files for analysis (README, package files, source). The skill also supports a mode that compares remote repos with a user-supplied local path (which will read local files). Those behaviours are expected for this purpose but grant the skill broad read/write access to the agent's current working directory and any local path the user provides. SKILL.md also instructs possibly installing and calling the find-skills skill via platform commands (e.g., /skill-manager), which may not exist on all hosts.
Install Mechanism
No install spec is included and the package is instruction + script files only. Nothing is downloaded from arbitrary URLs during install. This is lower-risk than remote-download installers. The SKILL.md does instruct invoking platform-specific managers to install an optional dependency (find-skills) if the user requests theme search.
Credentials
The skill does not request any environment variables, secrets, or external credentials. The config system supports environment-variable overrides for output_dir and clone depth which is reasonable. The security module is designed to scan repositories for sensitive-file references (e.g., ~/.ssh, ~/.aws) but that is analysis of cloned repos rather than requesting credentials itself.
Persistence & Privilege
always is false and the skill does not request permanent inclusion. It writes analysis output and cloned repositories into a configurable output directory (defaults to ./research or as configured). This file-system write/read behaviour is expected for the stated purpose and does not modify other skills or global agent configuration.
Assessment
This skill appears to do what it claims: clone GitHub repositories, analyze their code, and produce reports. Before running it, consider the following: (1) It assumes git and Python (python3) are available though these are not declared — ensure those binaries exist. (2) It will create directories and clone code into the configured output_dir (defaults to ./research or your current working directory) — run it from a directory where writing/cloning is safe, or set output_dir to a sandbox. (3) If you use the 'compare with local path' mode, the skill will read arbitrary local files at the path you provide — only supply directories you trust. (4) The skill may call platform commands like /skill-manager or /find-skills when using theme search; those commands are platform-specific and may prompt additional installs. (5) Review scripts/security.py (included) to understand what the built-in security checks look for. (6) As a general precaution, do not execute code from cloned repositories; the skill appears to analyze files but not run repository code — still review before running anything from the cloned repos. If you want stricter assurance, run the skill in an isolated environment (container or VM) and inspect scripts/security.py and scripts/* for any unexpected subprocess invocations before use.Like a lobster shell, security has layers — review code before you run it.
latestvk976p7s4ytx300bnh8javg1jbd83g75k
License
MIT-0
Free to use, modify, and redistribute. No attribution required.