ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

GitHub Knowledge Base

Manage a local GitHub knowledge base and provide GitHub search capabilities via gh CLI. Use when users ask about repos, PRs, issues, request to clone GitHub repositories, explore codebases, or need information about GitHub projects. Supports searching GitHub via gh CLI and managing local KB with GITHUB_KB.md catalog. Configure via GITHUB_TOKEN and GITHUB_KB_PATH environment variables.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
2 · 2.1k · 11 current installs · 12 all-time installs
by@JamesChan21
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill's stated purpose (manage a local GitHub KB and search via gh) reasonably requires the gh CLI, git, and a local filesystem path; the SKILL.md documents GITHUB_TOKEN and GITHUB_KB_PATH. However, the registry metadata lists no required binaries, env vars, or config paths — a mismatch between what the skill says it needs and what the manifest declares.
!
Instruction Scope
The runtime instructions tell the agent to read and update GITHUB_KB.md, locate and write into ${GITHUB_KB_PATH:-/home/node/clawd/github-kb}/, clone repositories, and read README/key files to generate descriptions. These file-system operations and cloning actions are coherent with the purpose but are not represented in the manifest; they mean the skill will access and modify local files and may clone remote repos.
Install Mechanism
This is an instruction-only skill with no install spec or code files, so nothing is downloaded or written by an installer. That limits installation risk; however, runtime commands assume external tools (gh, git) are present.
!
Credentials
SKILL.md asks for GITHUB_TOKEN (optional) and GITHUB_KB_PATH, which are reasonable for private-repo access and locating the KB. But the skill manifest lists no required env vars or primary credential. A missing declaration of the token requirement is an incoherence and means users may not realize they'll need to provide a sensitive credential. The token should be least-privilege and documented in the manifest.
Persistence & Privilege
The skill does not request permanent platform privileges (always:false) and has no install step. It will, at runtime, write to a repository catalog file (GITHUB_KB.md) and clone repositories into a local path — expected for its function but important to know because it modifies user filesystem state.
What to consider before installing
This skill appears to do what it claims (search GitHub via gh and manage a local KB) but the published manifest omits important runtime requirements. Before installing or enabling it: (1) confirm the publisher and ask them to update the manifest to list required binaries (gh, git) and required env vars/config paths; (2) if you provide a GITHUB_TOKEN, make it least-privilege (scopes only as needed) and supply it via a secure secret store or env injection, not hardcoded; (3) decide whether you trust the skill to read/write the default KB path — change GITHUB_KB_PATH to a controlled directory if needed; (4) if you need assurance, request the skill owner add explicit statements about what files it will modify and add checks (e.g., prompt before cloning or writing GITHUB_KB.md). These inconsistencies are likely an oversight but should be resolved before use.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.1
Download zip
latestvk97c1zwzn92v6yp1f5nerf9y7d801y3h

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

GitHub Knowledge Base

Manage a local GitHub knowledge base and provide GitHub search capabilities via gh CLI. Key file: GITHUB_KB.md at the root of the KB directory catalogs all projects with brief descriptions.

Configuration

Set environment variables before use:

  • GITHUB_TOKEN - GitHub Personal Access Token (optional, for private repos)
  • GITHUB_KB_PATH - Path to local KB directory (default: /home/node/clawd/github-kb)

Example:

export GITHUB_TOKEN="ghp_xxxx..."
export GITHUB_KB_PATH="/your/path/github-kb"

Token Privacy: Never hardcode tokens. Inject via environment variables or container secrets.

GitHub CLI (gh)

Requirement: GitHub CLI must be installed and authenticated.

Installation:

  • macOS: brew install gh
  • Linux: apt install gh or see official install guide
  • Windows: winget install GitHub.cli

Authentication:

# Interactive login
gh auth login

# Or use token from GITHUB_TOKEN env var
gh auth login --with-token <(echo "$GITHUB_TOKEN")

Verify: gh auth status

If gh is not installed or not authenticated, skip search operations and use only local KB features.

Searching Repos

# Search repos by keyword
gh search repos <query> [--limit <n>]

# Examples:
gh search repos "typescript cli" --limit 10
gh search repos "language:python stars:>1000" --limit 20
gh search repos "topic:mcp" --limit 15

Search qualifiers:

  • language:<lang> - Filter by programming language
  • stars:<n> or stars:><n> - Filter by star count
  • topic:<name> - Filter by topic
  • user:<owner> - Search within a user's repos
  • org:<org> - Search within an organization

Searching Issues

gh search issues "react hooks bug" --limit 20
gh search issues "repo:facebook/react state:open" --limit 30
gh search issues "language:typescript label:bug" --limit 15

Search qualifiers:

  • repo:<owner/repo> - Search in specific repository
  • state:open|closed - Filter by issue state
  • author:<username> - Filter by author
  • label:<name> - Filter by label
  • language:<lang> - Filter by repo language
  • comments:<n> or comments:><n> - Filter by comment count

Searching Pull Requests

# Search PRs
gh search prs <query> [--limit <n>]

# Examples:
gh search prs "repo:vercel/next.js state:open" --limit 30
gh search prs "language:go is:merged" --limit 15

Search qualifiers:

  • repo:<owner/repo> - Search in specific repository
  • state:open|closed|merged - Filter by PR state
  • author:<username> - Filter by author
  • label:<name> - Filter by label
  • language:<lang> - Filter by repo language
  • is:merged|unmerged - Filter by merge status

Viewing PR/Issue Details

# View issue/PR details
gh issue view <number> --repo <owner/repo>
gh pr view <number> --repo <owner/repo>

# View with comments
gh issue view <number> --repo <owner/repo> --comments
gh pr view <number> --repo <owner/repo> --comments

Local Knowledge Base Workflow

Querying About a Repo in KB

  1. Read GITHUB_KB.md to understand what projects exist
  2. Locate the project directory under ${GITHUB_KB_PATH:-/home/node/clawd/github-kb}/

Cloning a New Repo to KB

  1. Search GitHub if the full repo name is not known
  2. Clone to KB directory: 
    git clone https://github.com/<owner>/<name>.git ${GITHUB_KB_PATH:-/home/node/clawd/github-kb}/<name>
  3. Generate project description: Read README or key files to understand the project
  4. Update GITHUB_KB.md: Add entry for the new repo following the existing format: 
    ### [<name>](/<name>)
Brief one-line description of what the project does. Additional context if useful (key features, tech stack, etc.).
  5. Confirm completion: Tell user the repo was cloned and where to find it

Default Clone Location

If user says "clone X" without specifying a directory, default to ${GITHUB_KB_PATH:-/home/node/clawd/github-kb}/.

GITHUB_KB.md Format

The catalog file follows this structure:

# GitHub Knowledge Base

This directory contains X GitHub projects covering various domains.

---

## Category Name

### [project-name](/project-name)
Brief description of the project.

Maintain categorization and consistent formatting when updating.

Files

1 total
Select a file
Select a file to preview.

Comments

Loading comments…