ClawHub

GitHub 稳定获取

v2.1.0

提供多层备选方案,优先通过 SSH clone,其次使用 ghproxy 镜像及 jsdelivr CDN,解决国内 GitHub 连接不稳定问题。

0· 27·0 current·0 all-time
by@d9g
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The SKILL.md and both scripts implement the described multi-tier GitHub retrieval (SSH, ghproxy, jsdelivr, raw). However the manifest did not declare required local binaries even though the scripts invoke git, ssh, curl, timeout, mkdir, and grep; this is a documentation/metadata omission rather than functional mismatch.
Instruction Scope
Instructions and scripts access local SSH key files (~/.ssh/id_*.pub and .ssh operations) and repository files (.gitattributes) which is appropriate for cloning, but the ssh precheck uses 'ssh -T ... -o StrictHostKeyChecking=no' which suppresses host-key verification for the probe (convenient but weakens MITM protection). The skill also makes network requests to GitHub API, ghproxy mirrors, jsdelivr CDN, and raw.githubusercontent — all consistent with its purpose.
Install Mechanism
No install spec (instruction-only plus included shell scripts). Nothing is downloaded or executed from external arbitrary URLs during install; all logic is in the provided scripts. This is the low-risk pattern for such a utility.
Credentials
The skill requests no environment variables or credentials. It does read local SSH key files and will use local git/ssh credentials if available — this is proportionate for cloning, but users should be aware the scripts will access ~/.ssh and may use your keys present there.
Persistence & Privilege
always:false and user-invocable: true. The skill does not request permanent platform-level presence or attempt to modify other skills or global agent settings. It will not autonomously escalate privileges beyond normal agent invocation.
Assessment
This skill appears to do what it says (help fetch/clone GitHub repos using SSH, ghproxy, jsdelivr, or raw). Before installing or running it: 1) Review the provided scripts yourself (they are included) to confirm you are comfortable running them. 2) Ensure you have the required local tools (git, ssh, curl, timeout) — the skill does not declare these but needs them. 3) Be aware the scripts read ~/.ssh keys and may use your local git/SSH credentials; if you don't want that, run the script in a sandbox or remove keys. 4) The SSH probe uses StrictHostKeyChecking=no which bypasses host-key checking for the probe step; consider running 'ssh-keyscan github.com >> ~/.ssh/known_hosts' beforehand or editing the script to avoid disabling host-key checks. 5) Using ghproxy/jsdelivr routes requests through third parties — do not use those for private repositories or sensitive files, as CDNs/mirrors can see request metadata or cached content. 6) Use the --probe option first to see which mirrors are reachable and test in a safe environment if you have high security requirements.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dcsxkk3d36b87s1yfr25zd984sfhh

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments