GitHub Extract
PassAudited by ClawScan on May 1, 2026.
Overview
This skill is a straightforward GitHub content extractor, with minor review notes about URL scope and runtime dependencies.
This appears safe for extracting public GitHub content. Before installing, note that save mode depends on wget and that the script may fetch the original URL if GitHub conversion fails, so use trusted public URLs and avoid pointing it at private or internal addresses.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The tool may contact non-GitHub URLs if one is supplied, even though the skill is described as GitHub-focused.
If a URL cannot be converted to a GitHub raw URL, including when the host is not github.com, the script falls back to fetching or downloading the original user-supplied URL.
raw_url = get_github_raw_url(args.url) or args.url
Use only trusted public GitHub URLs, or tighten the script to fail closed when the host is not github.com or raw.githubusercontent.com.
On first run, uv may resolve and install newer dependency versions, which is normal for this kind of script but gives less reproducibility than pinned versions.
The uv script declares runtime package dependencies with lower-bound version constraints rather than exact pins.
"furl>=2.1.4", "loguru>=0.7.3", "requests>=2.32.5", "urllib3>=2.6.3"
For stronger reproducibility, pin exact dependency versions or provide a lockfile; otherwise install only in an environment where resolving these common packages is acceptable.