ClawHub

Surge Download Manager

v1.1.0

Blazing fast TUI download manager with multi-connection, queue management, server mode, multiple mirrors, and a beautiful terminal interface.

0· 274·1 current·1 all-time
by@kexu9
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name, description, SKILL.md and scripts/surge.py all describe a wrapper for the 'surge' download manager and the advertised features (TUI, server mode, add/list/pause/resume) align with the code and instructions. However, registry metadata earlier listed no required binaries while SKILL.md metadata explicitly names the 'surge' binary and gives a GitHub homepage — this mismatch is inconsistent and worth verifying.
Instruction Scope
SKILL.md's runtime instructions stay on-task: how to install the surge binary, running server/TUI, adding URLs, and using tokens. The included wrapper script only runs the local 'surge' command, lists status, and starts the server. There are no instructions to read unrelated files, export environment secrets, or call external endpoints beyond the normal download flow.
Install Mechanism
There is no formal install spec in the registry (instruction-only), but SKILL.md recommends installing via brew, go install, or downloading a release from GitHub. That is reasonable, but because the skill will invoke a local 'surge' binary, you should confirm the binary's provenance (the SKILL.md points to a GitHub URL while the top metadata declared no homepage — another minor inconsistency).
Credentials
The skill doesn't request any environment variables, credentials, or config paths. The wrapper script doesn't read env vars or secrets. The only token mentioned is the surge application's API token (returned/managed by the surge binary itself), which is expected for a server-mode download manager.
Persistence & Privilege
The skill does not request 'always: true' or any elevated, persistent platform privileges. It starts subprocesses (surge server) as a normal user operation and does not modify other skills or system-wide agent configuration.
What to consider before installing
This skill appears to be a thin wrapper around a local 'surge' download manager and is generally coherent with that purpose, but there are small metadata inconsistencies (missing required-bins in registry metadata vs SKILL.md) and no install is provided, so the wrapper will call whatever 'surge' binary is on PATH. Before installing or running this skill: (1) Verify the upstream project/release you plan to install (prefer official GitHub releases or your OS package manager), (2) avoid running an untrusted 'surge' binary — inspect or build it from source if possible, (3) be aware the wrapper launches the surge binary with user-provided URLs/args (no extra sanitization), so run it with least privilege and avoid running as root, (4) confirm the SKILL.md homepage and registry info match the repository you download from. If you want higher assurance, request an install spec that pins a vetted package or includes a checksum for the binary.

Like a lobster shell, security has layers — review code before you run it.

latestvk979mkqz7sb8xar8wfp7rg1yj9828wwa

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments