ClawHub

GitHub Star Manager

v0.1.2

Manage GitHub stars with AI-powered categorization and cleanup. Use when a user wants to organize their starred repos into GitHub Lists, clean up stale/depre...

0· 624·0 current·0 all-time
by@cosformula
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (manage and categorize GitHub stars) matches the declared dependencies (gh, jq) and the SKILL.md commands (gh api, GraphQL mutations, jq). There are no unrelated binaries or secrets requested.
Instruction Scope
SKILL.md instructs the agent to run gh CLI commands that read/export stars, create lists, add repos, and delete (unstar) repos. That scope is appropriate for the stated purpose, but several operations are destructive (unstar, mutations) and rely on the user's gh auth session — the skill does instruct to confirm before destructive actions, so the scope is reasonable if confirmations are enforced.
Install Mechanism
Install entries use standard package managers (brew and apt) for gh and jq, which is low risk. Minor inconsistency: the registry's top-level install metadata listed only brew formulas, while the SKILL.md's embedded metadata also lists apt packages; this is likely benign but inconsistent.
Credentials
The skill requests no environment variables and uses the existing gh auth session. It documents that Lists operations require a token with 'user' scope (or a Classic token), which is a broader permission than read-only but justified for creating/managing Lists. Requesting the gh session instead of asking for raw tokens is appropriate and limits direct exposure of secrets in env vars.
Persistence & Privilege
always is false and the skill does not request persistent system-wide changes. The agent may be allowed to invoke the skill autonomously (platform default); because the skill can perform destructive actions, users should ensure confirmation steps are enforced when granting autonomous invocation, but the skill itself does not demand elevated persistent privileges.
Assessment
This skill looks coherent for managing GitHub stars, but before installing: ensure you have gh installed and authenticated (gh auth login); back up your stars (run the export command and save stars.json) before bulk changes; note that Lists creation and mutation require a token with 'user' scope (Classic tokens are more powerful—only use if you understand the permissions); confirm that your agent or environment will prompt you before destructive actions (unstarring/removing items) or disable autonomous invocation if you don't want the agent to act without explicit consent; and prefer installing gh/jq from your system package manager (brew/apt) as shown. The only minor issue is an install-metadata inconsistency (brew vs apt) in documentation — not a security problem but worth checking.

Like a lobster shell, security has layers — review code before you run it.

latestvk977ksn7zrr35smdsygxg7r09h817nwc

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Clawdis
Binsgh, jq

Install

Install GitHub CLI (brew)
Bins: gh
brew install gh
Install jq (brew)
Bins: jq
brew install jq

Comments