Sageox Distill Team Memory
v0.2.0Sync, index, and distill team activity across SageOx-enabled repositories. Keeps your team's knowledge base up to date by syncing repo contexts, indexing Git...
⭐ 0· 48·0 current·0 all-time
byGalex Yen@galexy
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Benign
high confidencePurpose & Capability
Required binaries (ox, git, gh, jq, claude) and the declared installs (npm @anthropic-ai/claude-code, brew gh/jq, and a pinned curl install for ox) all align with a tool that indexes GitHub activity and runs an LLM-backed distillation pipeline. No unrelated cloud credentials or unrelated system paths are requested.
Instruction Scope
SKILL.md limits actions to repo manifests, local state files under ~/.openclaw/memory, and invoking ox/gh/git/claude. It enforces path-validation rules and a readiness gate (update-ox.sh). The skill will cause repository content and metadata to be sent to services invoked (e.g., Claude via the claude_cli or ox), which is expected behavior but important for user consent.
Install Mechanism
Installs come from reasonable sources: npm package for Claude CLI, brew for gh and jq, and a pinned GitHub Releases tarball for ox with embedded sha256 verification. The curl-download script avoids piping to shell, writes to $HOME/.local/bin, and verifies the binary; this is an acceptable install pattern and low-to-moderate risk.
Credentials
The registry metadata declares no required environment variables, but SKILL.md refers to ANTHROPIC_API_KEY (or 'claude login') as necessary for LLM calls; that env var is not listed in requires.env. This is a minor metadata mismatch — the need for an Anthropic key is legitimate for Claude usage, but the skill should have declared it. No other unrelated secrets are requested.
Persistence & Privilege
always:false and normal autonomous invocation are used. The skill writes/read only its own state under ~/.openclaw/memory and installs ox into $HOME/.local/bin; it does not modify other skills or system-wide configs. This level of persistence is typical and proportionate.
Assessment
This skill appears coherent and implements a careful, pinned install for the ox binary, but before installing or running it consider the following:
- Running distillation will cause repository content and metadata to be processed and sent to external services (Claude/Anthropic and GitHub via gh). Only proceed if you are comfortable with that data flow and any policy/PII implications.
- The SKILL.md expects you to authenticate Claude (either via `claude login` or by exporting ANTHROPIC_API_KEY). That env var is not listed in the registry metadata — make sure you set credentials intentionally and do not expose broader secrets.
- The ox install script downloads a pinned GitHub release and verifies sha256; review the OX_INSTALL_REF and embedded checksums if you want to audit the exact release being installed.
- The skill writes state to ~/.openclaw/memory. Treat those files as local state; if you need to inspect or restrict them, do so before running the skill.
- If you have strict supply-chain or corporate policies, confirm the npm package @anthropic-ai/claude-code and the brew formulas are allowed in your environment.
Overall: technically coherent and low risk for its stated purpose, but review and consent to the LLM/GitHub data flows and supply-chain elements before use.Like a lobster shell, security has layers — review code before you run it.
latestvk975wgyky8s8e8tp5cepqe4gzs84w5wh
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🔬 Clawdis
OSmacOS · Linux
Binsox, git, gh, jq, claude
Install
Install Claude Code CLI (npm)
Bins: claude
npm i -g @anthropic-ai/claude-codeInstall GitHub CLI (brew)
Bins: gh
brew install ghInstall jq (brew)
Bins: jq
brew install jq