ClawHub

Atomgit Curl

v3.0.4

AtomGit (GitCode) 代码托管平台集成 - Curl/Bash 版本。完整支持 PR 审查、批准、合并、仓库管理、Issues 管理。特色功能:批量并行处理、文件树查看、PR 检查触发、CI 流水线检查、仓库协作管理。跨平台:Windows(Git Bash)/Linux/macOS。提供 36 个...

1· 166·1 current·1 all-time
by@panchenbo
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (AtomGit Curl wrapper) match the included scripts and docs. Required binaries (curl, bash) and the single environment variable (ATOMGIT_TOKEN) are appropriate for the advertised functionality (API calls, PR/issue/repo operations).
Instruction Scope
SKILL.md and scripts instruct the agent to run the provided shell scripts and optionally read ~/.openclaw/openclaw.json or Windows paths to load ATOMGIT_TOKEN. That behavior is consistent with the purpose, but the scripts use grep to parse JSON (brittle) and spawn a Python subprocess for CI parsing. The scripts do not attempt to access unrelated system secrets or external endpoints other than api.atomgit.com.
Install Mechanism
No remote install/download steps — instruction-only skill with bundled scripts. This reduces supply-chain risk; installation is limited to setting execute permissions and optionally creating an alias as documented.
!
Credentials
Only ATOMGIT_TOKEN is required, which is proportional. However, the implementation claims 'secure token handling' but passes the token directly in curl header arguments (e.g., -H "Authorization: Bearer $ATOMGIT_TOKEN"), which can expose the token via process command-line on some systems. The scripts also search for tokens in local config files (~/.openclaw/openclaw.json and Windows locations), meaning they will read local files to find tokens if the env var is not set — this is functional but worth noting.
Persistence & Privilege
The skill is not marked always:true, does not auto-enable itself in other skills, and does not modify system-wide agent settings. It suggests optional edits (alias, openclaw.json) which are user actions, not forced changes by the skill.
Assessment
This skill appears to do what it claims (a curl/bash wrapper for AtomGit) and only requires ATOMGIT_TOKEN. Before installing, review the scripts yourself: they read ~/.openclaw/openclaw.json and some Windows paths to load tokens, and they build curl commands that include the token in the command line (which can be visible via process listings on some systems). If you decide to use it: (1) set ATOMGIT_TOKEN as an environment variable in a secure session (avoid hardcoding), (2) prefer tokens with limited scope/expiration, (3) ensure ~/.openclaw/openclaw.json and other config files are not world-readable, (4) run the scripts in a sandbox or non-privileged account if you have concerns, and (5) consider modifying the implementation to avoid passing tokens on the curl command line (e.g., use a netrc file or curl --config) if you need stronger protection.

Like a lobster shell, security has layers — review code before you run it.

latestvk975trhy2r75nmngyzcx0172c583pnrx

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔗 Clawdis
OSWindows · Linux · macOS
Binscurl, bash
EnvATOMGIT_TOKEN

Comments