china-mirror-skills
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If your proxy setting contains a password or token, running diagnostics or setup may reveal it in output.
The helper collects and logs complete proxy environment variable values. Proxy URLs can contain usernames, passwords, or tokens, so printing the full value can place credentials into the agent transcript or logs.
found_proxy="${found_proxy}${var}=${!var}; " ... log_warn "Proxy environment variables detected: $proxy_env"Redact proxy values before printing them, or only show variable names/hostnames. Users should avoid running this with credential-bearing proxy URLs unless the output is masked.
Private Go module paths may be sent to a public or third-party Go proxy instead of staying private.
The Go setup persists an empty GOPRIVATE value in the user's shell profile. This can override a user's private-module protection and affect future Go commands across sessions.
export GOPROXY="${proxy_url},direct"
export GO111MODULE=on
export GOPRIVATE=""Preserve any existing GOPRIVATE value, ask before changing it, and document how users should configure private module patterns.
The skill can change system package sources and development-tool configuration, which may affect future installs and updates.
The skill documents sudo-capable setup scripts and overwrite/yes flags. This is aligned with configuring package mirrors, but it is high-impact local configuration authority.
| APT (Ubuntu/Debian) | `sudo scripts/apt/setup.sh` | tuna | | Docker CE + Hub | `sudo scripts/docker/setup.sh` | tuna | ... - `-f / --force` — force overwrite - `-d / --dry-run` — preview changes without applying - `-y / --yes` — skip confirmation prompts
Use dry-run first, review the mirror URLs, keep backups, and avoid --yes/--force unless you are sure.
Sensitive configuration values could be duplicated locally in backup files.
The backup tool may copy configuration files that sometimes contain tokens, proxy settings, or other secrets into the local backup area.
["npm"]="${HOME}/.npmrc"
["github"]="${HOME}/.gitconfig"
["go"]="${HOME}/.bash_profile,${HOME}/.zshrc"
...
backup_file "$file" "$tool"Check backup permissions and avoid broad --all backups if your config files contain secrets, or redact token-bearing files before backup.