ClawHub

gitload

This skill should be used when the user asks to "download files from GitHub", "fetch a folder from a repo", "grab code from GitHub", "download a GitHub repository", "get files from a GitHub URL", "clone just a folder", or needs to download specific files/folders from GitHub without cloning the entire repo.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
3 · 2.7k · 7 current installs · 7 all-time installs
by@waldekmastykarz
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The stated purpose (fetching files/folders from GitHub) is coherent with the instructions (using a gitload CLI to call the GitHub API). However the skill metadata declares no required binaries or env vars, while the SKILL.md clearly assumes availability of node/npm/npx and optionally the gh CLI and GITHUB_TOKEN; that metadata mismatch reduces trust in the manifest.
!
Instruction Scope
The runtime instructions direct the agent (or user) to run npx gitload-cli or install an npm package and to supply tokens via --token or GITHUB_TOKEN. npx executes code downloaded at runtime and the guidance to pass tokens on the command line (--token ghp_xxxx) can expose secrets (process lists, shell history). The instructions do not provide guidance for verifying the npm package source or minimizing token exposure.
!
Install Mechanism
There is no bundled code; the SKILL.md instructs using npx or npm install to fetch gitload-cli from the npm registry. Running npx executes third‑party code on demand (supply‑chain risk). The manifest offers no vetted release URL, checksum, or guidance to review the package, which increases risk compared with a bundled or well‑documented release.
!
Credentials
The skill metadata declares no required environment variables, but the documentation references GITHUB_TOKEN and passing tokens explicitly. Requesting a GitHub token is proportionate for private-repo access, but the instructions suggest insecure usage (inline --token) and do not limit or recommend minimal scopes. The mismatch between declared env requirements and documented token use is a red flag.
Persistence & Privilege
The skill is instruction-only and does not request persistent presence or special agent privileges (always:false). Autonomous invocation is allowed (platform default); combined with the instruction to run npx, that means the agent could autonomously download and execute an npm package when invoked — consider the increased blast radius if used autonomously.
What to consider before installing
This skill appears to do what it says (download GitHub files), but exercise caution before installing or giving it tokens. Specific recommendations: - Verify the upstream gitload-cli package: check the npm page and the package's GitHub repo and maintainers before running npx. - Prefer using the gh CLI or an environment variable with minimal-scope tokens (repo scope only) instead of passing a token on the command line (avoid --token inline to prevent leaking via process lists or shell history). - If you must use this in an automated agent, run it in an isolated environment (container or sandpit) so npx-run code is contained. - Ask the publisher to update the skill metadata to list required binaries (node/npm/npx, optionally gh) and to document secure token handling. If you cannot verify the npm package or maintainers, treat this as untrusted and avoid running it on environments with sensitive data.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk972wax7xvjnff3pb3f7svfzds7z13y5

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

gitload

Download files, folders, or entire repos from GitHub URLs using the gitload CLI.

When to Use

Use gitload when:

  • Downloading a specific folder from a repo (not the whole repo)
  • Fetching a single file from GitHub
  • Downloading repo contents without git history
  • Creating a ZIP archive of GitHub content
  • Accessing private repos with authentication

Do NOT use gitload when:

  • Full git history is needed (use git clone instead)
  • The repo is already cloned locally
  • Working with non-GitHub repositories

Prerequisites

Run gitload via npx (no install needed):

npx gitload-cli https://github.com/user/repo

Or install globally:

npm install -g gitload-cli

Basic Usage

Download entire repo

gitload https://github.com/user/repo

Creates a repo/ folder in the current directory.

Download a specific folder

gitload https://github.com/user/repo/tree/main/src/components

Creates a components/ folder with just that folder's contents.

Download a single file

gitload https://github.com/user/repo/blob/main/README.md

Download to a custom location

gitload https://github.com/user/repo/tree/main/src -o ./my-source

Download contents flat to current directory

gitload https://github.com/user/repo/tree/main/templates -o .

Download as ZIP

gitload https://github.com/user/repo -z ./repo.zip

Authentication (for private repos or rate limits)

Using gh CLI (recommended)

gitload https://github.com/user/private-repo --gh

Requires prior gh auth login.

Using explicit token

gitload https://github.com/user/repo --token ghp_xxxx

Using environment variable

export GITHUB_TOKEN=ghp_xxxx
gitload https://github.com/user/repo

Token priority: --token > GITHUB_TOKEN > --gh

URL Formats

gitload accepts standard GitHub URLs:

  • Repo root: https://github.com/user/repo
  • Folder: https://github.com/user/repo/tree/branch/path/to/folder
  • File: https://github.com/user/repo/blob/branch/path/to/file.ext

Common Patterns

Scaffold from a template folder

gitload https://github.com/org/templates/tree/main/react-starter -o ./my-app
cd my-app && npm install

Grab example code

gitload https://github.com/org/examples/tree/main/authentication

Download docs for offline reading

gitload https://github.com/org/project/tree/main/docs -z ./docs.zip

Fetch a single config file

gitload https://github.com/org/configs/blob/main/.eslintrc.json -o .

Options Reference

OptionDescription
-o, --output <dir>Output directory (default: folder named after URL path)
-z, --zip <path>Save as ZIP file at the specified path
-t, --token <token>GitHub personal access token
--ghUse token from gh CLI
--no-colorDisable colored output
-h, --helpDisplay help
-V, --versionOutput version

Error Handling

If gitload fails:

  1. 404 errors: Verify the URL exists and is accessible
  2. Rate limit errors: Add authentication with --gh or --token
  3. Permission errors: For private repos, ensure token has repo scope
  4. Network errors: Check internet connectivity

Notes

  • gitload downloads content via GitHub's API, not git protocol
  • No git history is preserved (use git clone if history is needed)
  • Large repos may take time; consider downloading specific folders
  • Output directory is created if it doesn't exist

Files

1 total
Select a file
Select a file to preview.

Comments

Loading comments…