ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

GitHub API 工具

GitHub 操作工具 - 通过 GitHub API 管理仓库、Issues、PRs、Actions 等

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 112 · 0 current installs · 0 all-time installs
by@gaoren36-arch
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description promise GitHub repo/issue/PR/Actions management and the SKILL.md provides concrete curl-based commands and endpoints that implement exactly that functionality. Requested capabilities (create issues, list PRs, trigger workflows, read files) are coherent with the stated purpose.
!
Instruction Scope
The SKILL.md explicitly instructs the agent to use curl (via exec) and to read an environment variable GITHUB_TOKEN from ~/.openclaw/openclaw.json. The instructions are otherwise limited to GitHub API endpoints (api.github.com). However, they give the agent shell exec guidance and a place to store a long-lived token — and the metadata did not declare these runtime requirements. This mismatch increases risk because users may not realize a secret token will be read from agent config and used by shell commands.
Install Mechanism
This is an instruction-only skill with no install spec or code files, which is the lowest install risk (nothing is downloaded or written by an installer).
!
Credentials
The SKILL.md requires a GITHUB_TOKEN with scopes including repo and workflow (broad privileges). However, the registry metadata lists no required env vars or primary credential — a clear inconsistency. The requested token scopes are plausible for full repo/Actions management, but because the credential requirement is not declared in metadata, users may not expect to provide such a powerful secret.
Persistence & Privilege
The skill is not forced-always, does not request system-level persistence, and does not declare changes to other skills or global agent settings. It does advise storing the token in the agent config (~/.openclaw/openclaw.json), which is normal for credentials but should be noted.
What to consider before installing
This skill appears to implement GitHub API calls correctly, but the SKILL.md requires a GitHub personal access token (GITHUB_TOKEN) and uses curl via shell exec while the registry metadata declares no required env vars or binaries — an incoherence that could be accidental or sloppy. Before installing: 1) Ask the publisher to update metadata to list GITHUB_TOKEN as a required credential and to declare required binaries (curl). 2) Prefer least-privilege: create a PAT with only the scopes you actually need (avoid granting unnecessary repo/workflow permissions; consider using a fine-grained token or a GitHub App). 3) Store tokens securely and rotate them if you revoke access. 4) Audit who published the skill (source/homepage unknown) — treat unknown provenance with caution. 5) If you proceed, monitor token usage and consider using a token dedicated to the skill with minimal privileges.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk979msxh19529t71m5q30gpdf18328ns

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

GitHub 操作工具

通过 GitHub REST API 管理仓库、Issues、PRs、Actions 等。

认证

需要设置 GitHub Token 环境变量:

# 在 openclaw 配置中设置
GITHUB_TOKEN=your_github_personal_access_token

Token 权限要求:

  • repo - 完整仓库操作
  • read:user - 读取用户信息
  • workflow - GitHub Actions 操作

核心功能

功能说明
仓库信息获取仓库详情、统计信息
Issues列表、查看、创建、关闭、编辑
PR列表、查看、创建、合并、审查
Commits查看提交历史
Actions查看 workflow、运行状态
搜索搜索仓库、代码
文件操作读取文件内容
用户信息获取用户资料

使用方式

1. 设置 Token

~/.openclaw/openclaw.json 中配置:

{
  "env": {
    "GITHUB_TOKEN": "ghp_xxxxxxxxxxxx"
  }
}

2. 仓库操作

# 获取仓库信息
github_get_repo owner=octocat repo=hello-world

# 获取仓库统计数据
github_get_repo_stats owner=octocat repo=hello-world

# 列出用户仓库
github_list_repos user=octocat type=all sort=updated

3. Issues 操作

# 列出仓库 issues
github_list_issues owner=octocat repo=hello-world state=open

# 查看单个 issue
github_get_issue owner=octocat repo=hello-world issue_number=1

# 创建 issue
github_create_issue owner=octocat repo=hello-world title="Bug: 登录失败" body="复现步骤..."

# 关闭 issue
github_close_issue owner=octocat repo=hello-world issue_number=1

# 编辑 issue
github_edit_issue owner=octocat repo=hello-world issue_number=1 title="新标题"

4. Pull Request 操作

# 列出 PRs
github_list_pulls owner=octocat repo=hello-world state=open

# 查看 PR
github_get_pull owner=octocat repo=hello-world pull_number=1

# 创建 PR
github_create_pull title="feat: 新功能" body="描述..." head=feature-branch base=main owner=octocat repo=hello-world

# 合并 PR
github_merge_pull owner=octocat repo=hello-world pull_number=1 merge_method=squash

# 查看 PR 文件变更
github_list_pull_files owner=octocat repo=hello-world pull_number=1

5. Commits 操作

# 获取提交历史
github_list_commits owner=octocat repo=hello-world per_page=10

# 查看单个提交
github_get_commit owner=octocat repo=hello-world ref=abc123

6. GitHub Actions

# 列出 workflows
github_list_workflows owner=octocat repo=hello-world

# 查看 workflow runs
github_list_workflow_runs owner=octocat repo=hello-world workflow_id=build

# 触发 workflow
github_dispatch_workflow owner=octocat repo=hello-world workflow_id=build ref=main

7. 搜索

# 搜索仓库
github_search_repos query="tetris language:javascript" sort=stars order=desc

# 搜索代码
github_search_code q="octocat filename:package.json"

# 搜索 issues
github_search_issues q="bug state:open repo:octocat/Hello-World"

8. 文件操作

# 获取文件内容
github_get_file owner=octocat repo=hello-world path=README.md

# 获取文件元信息(含 SHA)
github_get_file owner=octocat repo=hello-world path=README.md ref=main

9. 用户信息

# 获取当前用户
github_get_user

# 获取其他用户
github_get_user username=octocat

API 调用方式

使用 exec 工具调用 GitHub API:

# 格式
curl -H "Authorization: token $GITHUB_TOKEN" \
     -H "Accept: application/vnd.github.v3+json" \
     https://api.github.com/{endpoint}

# 示例:获取仓库信息
curl -H "Authorization: token $GITHUB_TOKEN" \
     -H "Accept: application/vnd.github.v3+json" \
     https://api.github.com/repos/octocat/hello-world

常用 API 端点

端点说明
/repos/{owner}/{repo}仓库信息
/repos/{owner}/{repo}/issuesIssues 列表
/repos/{owner}/{repo}/pullsPRs 列表
/repos/{owner}/{repo}/commits提交历史
/repos/{owner}/{repo}/actions/workflowsActions
/search/repositories搜索仓库
/search/code搜索代码
/user当前用户

常见工作流

创建一个 Issue 并标记

1. github_create_issue 创建 issue
2. github_add_labels 添加标签
3. github_assign 添加负责人

审查 PR

1. github_get_pull 获取 PR 信息
2. github_list_pull_files 查看文件变更
3. github_create_review 创建审查意见

触发 CI/CD

1. github_list_workflows 查看可用 workflows
2. github_dispatch_workflow 触发指定 workflow

注意事项

  1. Rate Limits:未认证请求 60次/小时,认证后 5000次/小时
  2. Token 安全:不要把 token 暴露在代码中
  3. Pagination:大量数据需要分页处理
  4. API Version:使用 application/vnd.github.v3+json Accept header

错误处理

常见错误:

状态码说明
401Token 无效或过期
403权限不足或 rate limit
404资源不存在
422验证失败

快速命令模板

# 查看仓库
curl -s -H "Authorization: token $GITHUB_TOKEN" https://api.github.com/repos/{owner}/{repo}

# 列出 open issues
curl -s -H "Authorization: token $GITHUB_TOKEN" "https://api.github.com/repos/{owner}/{repo}/issues?state=open"

# 创建 issue
curl -s -X POST -H "Authorization: token $GITHUB_TOKEN" \
     -H "Content-Type: application/json" \
     -d '{"title":"标题","body":"内容"}' \
     https://api.github.com/repos/{owner}/{repo}/issues

Files

1 total
Select a file
Select a file to preview.

Comments

Loading comments…