Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Github Sync Skill
v2.0.0将本地创建或修改的 Claude Code 技能自动同步到 GitHub 仓库。支持增量同步、单技能同步、自动生成 README.md。
⭐ 0· 44·0 current·0 all-time
byKuiil@kuiilabs
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
medium confidencePurpose & Capability
The declared purpose (sync local Claude Code skills to GitHub, incremental sync, README generation, token verification) matches most of the included scripts (sync_to_github.sh, verify_token.sh, check_changes.sh). However, there is an additional cleanup_remote_repo.sh script that is not described in SKILL.md and provides recursive deletion of repo contents except a small whitelist. That destructive capability is not communicated in the description/instructions and appears tailored to a specific repository/owner; this mismatch is concerning.
Instruction Scope
The SKILL.md documents sync, single-skill upload, README update, and token checks and shows how to run sync and verify scripts. It does not mention the cleanup_remote_repo.sh script, which can delete many files in the remote repo. The scripts operate on ~/.claude/skills and GitHub API only (no unknown external endpoints), but the omission of the cleanup behavior in the runtime instructions is scope creep and dangerous if run unintentionally.
Install Mechanism
This is an instruction-only skill (no install spec). That minimizes install-time risk; the runtime behavior is implemented in shell scripts included in the package. No external arbitrary downloads or archive extraction are performed by an installer.
Credentials
Registry metadata lists no required env vars, but the scripts and SKILL.md clearly expect a GitHub personal access token (GITHUB_TOKEN) and use it for create/update/delete operations. The token is sensitive and must have repo-level permissions for many operations. The absence of GITHUB_TOKEN in the declared requirements is an inconsistency. Also, cleanup_remote_repo.sh uses token with delete permissions and default OWNER/REPO constants—this combination can result in broad destructive effects if misused.
Persistence & Privilege
The skill does not request always:true or other elevated platform privileges, and it does not modify other skills' configurations. However, it includes a script that, when executed with a sufficiently privileged token, can permanently delete remote repository content. That is a high-impact action but is performed via the user's GitHub token rather than platform-level persistence.
What to consider before installing
Review the scripts before installing or running anything. Key points:
- Inspect cleanup_remote_repo.sh carefully: it defaults to owner/repo = kuiilabs/claude-skills and includes a whitelist; when run with a token that has write/admin rights it will recursively delete remote repo contents (it asks for confirmation interactively, but this can be automated). Do NOT run this script unless you understand and have adjusted OWNER/REPO and the whitelist.
- The package does not declare GITHUB_TOKEN as a required env var, but the scripts need a GitHub PAT with repo permissions. Use a least-privilege token scoped only to the repository you intend, and prefer a throwaway/rotated token for testing.
- Test with --dry-run (or read-only API calls) first. Use verify_token.sh and check_changes.sh to validate environment and token behavior before syncing.
- Run sync operations against a new/empty test repository you control to confirm behavior. Do not grant a wide-scoped token or run cleanup_remote_repo.sh against production repos until you fully understand and adapt its hard-coded defaults.
- If you are unsure, ask the publisher for clarification (why cleanup script exists and why it's not documented) or consider forking/removing the cleanup script from the skill before use.Like a lobster shell, security has layers — review code before you run it.
latestvk9731y6tm2f17795kz1napst4d848045
License
MIT-0
Free to use, modify, and redistribute. No attribution required.