ClawHub

Code Share

Share code via GitHub Gist instead of inline chat blocks. Use when code output exceeds 10 lines, when the user asks for copy-friendly code sharing in Discord...

MIT-0 · Free to use, modify, and redistribute. No attribution required.
2 · 579 · 1 current installs · 1 all-time installs
byJiayi Wang@Jeromestein
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description (share code via Gist) align with the scripts and SKILL.md. However, the registry metadata lists no required binaries while the instructions and scripts require the GitHub CLI (gh). This is likely a metadata omission rather than malicious, but it is an inconsistency.
Instruction Scope
SKILL.md restricts behavior to creating/updating GitHub Gists via gh, scanning for secrets, and writing temp files for upload. It does not instruct reading unrelated system files or transmitting data to unexpected endpoints. The sensitive-data policy is explicit and appropriate.
Install Mechanism
There is no install spec (instruction-only), and the included shell scripts are simple wrappers around the gh CLI. No remote downloads or archive extraction are present. Low install risk.
Credentials
The skill does not request environment variables or credentials itself. It relies on the user's gh CLI authentication (stored/managed by gh). That is proportionate for a GitHub Gist integration.
Persistence & Privilege
always is false, no requests to modify other skills or global agent settings, and the scripts only operate on files passed to them and temporary files they create. No elevated persistence requested.
Assessment
This skill appears to do what it says: create and update GitHub Gists via the gh CLI. Before installing or using it: 1) Ensure the GitHub CLI (gh) is installed and authenticated with gist scope — SKILL.md expects gh but registry metadata omitted that requirement. 2) Review and be comfortable with gh's stored authentication on your machine (gh uses your GitHub token); the scripts call gh api/gh gist which operate with that account. 3) Remember that 'secret' gists are unlisted but not private to GitHub — anyone with the link can view them. 4) The skill includes a sensible sensitive-data policy; nevertheless, avoid uploading real secrets and verify placeholders are used. If you need stronger guarantees (audit logs, org-owned gists, or access controls), modify workflow to use an org/service account with appropriate governance rather than a personal gh token.

Like a lobster shell, security has layers — review code before you run it.

Current versionv0.2.0
Download zip
discordvk97d11fmt3tbj44bjdgce484h981g2hrlatestvk97d11fmt3tbj44bjdgce484h981g2hrproductivityvk97d11fmt3tbj44bjdgce484h981g2hrsharingvk97d11fmt3tbj44bjdgce484h981g2hr

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Gist Code Share

When returning code:

  1. If code is 10 lines or fewer, inline code block is allowed.
  2. If code is over 10 lines, prefer GitHub Gist.
  3. Default to secret gist unless user asks for public.
  4. Return a short summary + gist URL; avoid pasting long duplicate code in chat.
  5. Never publish secrets in shared code. If sensitive values are needed, use placeholders and tell user to fill them locally.

Required checks

  • Verify GitHub CLI auth: gh auth status
  • If not authenticated (or missing gist scope), ask user to run: gh auth login
  • Keep behavior simple: do not auto-fallback to alternate sharing backends by default; prefer guiding user to configure GitHub properly.

Sensitive data policy (mandatory)

Before sharing code, scan for sensitive data and remove it.

  • Never include API keys, tokens, passwords, private keys, cookies, session IDs, webhook secrets, phone/email PII, or absolute local secret paths.
  • If code requires secrets, replace with placeholders, for example:
    • API_KEY="<FILL_ME>"
    • TOKEN="<YOUR_TOKEN_HERE>"
    • .env entry with empty value
  • Add a short note telling the user to fill placeholders locally after copying.

Update mode (same URL)

When user asks to modify previously shared code, prefer updating the same gist link (new revision) instead of creating a new gist.

Use:

./scripts/update_gist.sh <gist_url_or_id> <file> "<short description>" [public|secret] [lang]

Behavior:

  • Keep the same gist URL.
  • Save changes as a new revision.
  • Return the same fixed 3-line response format.

Create a new gist only when:

  • user explicitly asks for a new link, or
  • existing gist is not editable by current GitHub account.

Create gist

Use:

gh gist create <file> --desc "<short description>"

If code is generated in-session, write it to a temp file in workspace first. Use language-appropriate extension (.py, .js, .ts, etc.) so Gist syntax highlighting works well.

With bundled script:

./scripts/create_gist.sh <file> "<short description>" [public|secret] [lang]

If <file> has no extension, pass [lang] (for example python, typescript) so the script can upload with a proper extension.

Default behavior: do not use --web (automation-friendly). Optional: use --web only when the user explicitly asks to open the gist in browser immediately.

Response format (fixed)

Always use exactly this 3-line format:

  1. One sentence on what was shared.
  2. Gist URL (separate line).
  3. File: <filename> · Lines: <line_count>

Example:

Shared the full script as a secret Gist for clean copy/paste. https://gist.github.com/... File: lc761_solution.py · Lines: 42

Files

3 total
Select a file
Select a file to preview.

Comments

Loading comments…