Mirror Source Manager
v1.0.0x-mirror is a comprehensive mirror source management tool for various package managers. Use this skill whenever users need to configure, switch, or query pac...
⭐ 1· 180·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
The SKILL.md describes mirror management for many package managers and all runtime instructions call the x-cmd loader and x mirror subcommands. Requiring the x-cmd runtime (~/.x-cmd.root/X) and providing installation guidance is consistent with the stated purpose. No unrelated credentials, binaries, or config paths are requested.
Instruction Scope
Runtime instructions stay on-topic (listing/setting/restoring mirrors). The SKILL.md instructs the agent to source ~/.x-cmd.root/X and, if not present, to offer installation options. It does not ask the agent to read unrelated files or environment variables. However, the included installation guidance explicitly permits the agent to download and run remote install scripts (with user consent), which expands runtime behavior to executing network-fetched code — this is documented but worth flagging.
Install Mechanism
The skill is instruction-only (no package install spec), but data/install.md promotes three install paths: Homebrew (recommended, low risk), a manual download+review (medium risk), and an auto-install curl -fsSL https://get.x-cmd.com | sh (high risk). The auto-install pattern (pipe to sh) is inherently risky. The guide also references binaries from GitHub releases (normal) and packages from an unusual domain (https://conda.prefix.dev), which should be verified. Although the doc recommends verification and Homebrew, the presence of a one-line remote-exec install is the primary risk.
Credentials
The skill declares no required environment variables, no credentials, and no special config paths. The install scope is user-local (~/.x-cmd.root/) and claims no sudo required. That is proportionate for a CLI helper. Note: running the networked installer in an environment containing secrets is warned against in the doc.
Persistence & Privilege
The skill is not always-included, and it does not request elevated privileges. Installation is user-local and self-contained. The included agent workflow instructs the agent to ask the user before installing, which limits autonomous high-privilege actions. There is no instruction to modify other skills or system-wide settings beyond adding files under ~/.x-cmd.root/ and shell sourcing.
Assessment
This skill appears to do what it says (manage package mirrors) and asks for no secrets, but installing the underlying x-cmd runtime can be risky if you choose the one-line auto-installer. Prefer the Homebrew path (signed bottles) or the manual download+review option. Never run curl -fsSL https://get.x-cmd.com | sh on a machine with sensitive data or long-lived credentials. If you plan to install, review the install script at get.x-cmd.com and verify referenced checksums and release artifacts (and be cautious about any unfamiliar domains such as conda.prefix.dev). If you want the agent to perform installation, require explicit consent and prefer Homebrew/manual-review over the auto-install option.Like a lobster shell, security has layers — review code before you run it.
latestvk9726zh1xhpcpgwczt28wzya3182v2j9
License
MIT-0
Free to use, modify, and redistribute. No attribution required.