ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

GitHub Extract

v0.0.2

Extract content from a GitHub url.

0· 897·3 current·3 all-time
by@guoqiao

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for guoqiao/gh-extract.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "GitHub Extract" (guoqiao/gh-extract) from ClawHub.
Skill page: https://clawhub.ai/guoqiao/gh-extract
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Required binaries: uv
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Canonical install target

openclaw skills install guoqiao/gh-extract

ClawHub CLI

Package manager switcher

npx clawhub@latest install gh-extract
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's name/description match the code and instructions: it converts GitHub URLs to raw.githubusercontent.com and fetches/ saves file contents. However there is a minor inconsistency: registry metadata lists only 'uv' as a required binary, while SKILL.md and the code also require 'wget'. The script also lists Python dependencies in its header (furl, requests, loguru, urllib3) but the registry has no install spec — this is plausible if the execution environment (uv) handles them, but it is a mismatch between declared and used requirements.
Instruction Scope
SKILL.md instructs the agent to run the provided script with a single GitHub URL and optionally save to a temp file. The script limits its actions to converting URLs, trying common README/SKILL files for repo/tree URLs, fetching via HTTP, or using wget to save to a temp dir. It does not reference unrelated system files, additional env vars, or external endpoints beyond GitHub/raw.githubusercontent.com. It will download arbitrary user-supplied URLs (expected behavior), so user-provided URLs must be trusted.
Install Mechanism
There is no install spec (instruction-only), which is low-risk. The script header declares Python dependencies (PyPI packages) that will need to be present or installed by the runtime; how those get installed depends on the uv runtime but is not documented here. No remote install URLs or archive extraction are used.
Credentials
The skill requests no environment variables or credentials. It performs network requests to GitHub/raw.githubusercontent.com and spawns wget to save files into a temp directory. No access to other credentials, config paths, or unrelated services is requested.
Persistence & Privilege
always:false and no requests to modify other skills or global agent configuration. The skill creates temporary files when saving downloads, which is normal for this functionality and limited in scope.
What to consider before installing
This skill appears to do what it says — fetch content from public GitHub URLs — but check these points before installing: (1) SKILL.md and the script call 'wget' though the registry metadata only lists 'uv'; ensure 'wget' is available on the host or adjust expectations. (2) The script declares Python dependencies (furl, requests, loguru, urllib3) but there is no install specification — confirm how your runtime will provide or install them. (3) The tool will download arbitrary user-supplied URLs (via requests/wget) and write them to a temporary directory — only use it with trusted GitHub URLs. (4) No secrets are requested and the code only talks to GitHub/raw.githubusercontent.com, but if you run this in a shared environment be aware it will perform outbound HTTP requests and write files to /tmp. If any of these inconsistencies are unacceptable, ask the author to: add 'wget' to required binaries, document dependency installation in the registry, or provide an explicit install spec so you can review what will be installed.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

🦞 Clawdis
OSmacOS · Linux · Windows
Binsuv
GitHubvk974p5s6420k65cb4206jd8gen812200extractvk974p5s6420k65cb4206jd8gen812200ghvk974p5s6420k65cb4206jd8gen812200latestvk974p5s6420k65cb4206jd8gen812200markdownvk974p5s6420k65cb4206jd8gen812200pythonvk974p5s6420k65cb4206jd8gen812200readervk974p5s6420k65cb4206jd8gen812200scrapervk974p5s6420k65cb4206jd8gen812200summarizevk974p5s6420k65cb4206jd8gen812200uvvk974p5s6420k65cb4206jd8gen812200
897downloads
0stars
2versions
Updated 17h ago
v0.0.2
MIT-0
macOS, Linux, Windows
@guoqiao
GitHubextractghlatestmarkdownpythonreaderscrapersummarizeuv
Download

GitHub Extract

Extract content from a GitHub url.

Use this skill when the user types /gh-extract or asks to extract/download/summarize a GitHub url.

What it does

  • Accepts an GitHub url, could be repo/tree/blob.
  • Convert the url to github raw url.
  • Extract file content from the raw url or save to a temp path.

Requirements

  • uv
  • wget

Usage

# print file content to stdout
uv run --script ${baseDir}/gh_extract.py <url>

# save file to a temp path, with a proper filename
uv run --script ${baseDir}/gh_extract.py <url> --save

Notes

  • only works for public repo.
  • url can be repo/tree/blob
  • for repo/tree, will try to get README.md or SKILL.md or README.txt

Comments

Loading comments...