ClawHub

gh

v0.1.0

Use the GitHub CLI (gh) to perform core GitHub operations: auth status, repo create/clone/fork, issues, pull requests, releases, and basic repo management. Trigger for requests to use gh, manage GitHub repos, PRs, or issues from the CLI.

5· 3.8k·44 current·44 all-time
by@trumppo
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The skill's name/description (GitHub CLI helper) matches the instructions (gh commands for repos, issues, PRs). Minor inconsistency: SKILL.md assumes the gh CLI is available and used, but the metadata lists no required binary. A user installing this should ensure gh is present.
Instruction Scope
Instructions are focused on running gh commands (auth status, repo create/clone/fork, issues, PRs, releases). They do not instruct reading unrelated files, exfiltrating data, or contacting endpoints other than GitHub via gh. They do include operating on the local repo (e.g., --source . --push), which is expected for this tool.
Install Mechanism
This is an instruction-only skill with no install spec and no code files: nothing is written to disk by the skill itself. Low install risk.
Credentials
The skill declares no environment variables or credentials, which is reasonable because gh manages auth. However, in practice gh operations require authenticated credentials (gh auth or GH_TOKEN) stored outside the skill. The absence of declared env vars is not dangerous but is a metadata omission worth noting.
Persistence & Privilege
The skill is not always-enabled and does not request elevated persistence or modify other skills. It can be invoked autonomously (platform default), which is normal for skills of this type.
Assessment
This skill is an instruction-only helper that tells the agent to run gh (GitHub CLI) commands. Before installing: ensure you have gh installed and configured with the credentials you intend the agent to use; be aware the agent may run commands that modify local repos or GitHub state (create/fork/merge/delete), so only allow this skill for agents you trust. If you want to restrict risk, require explicit user confirmation for any destructive actions or disable autonomous invocation for this skill. The metadata omission (no required-binary entry for gh) is benign but you should verify gh is available in the runtime environment.

Like a lobster shell, security has layers — review code before you run it.

latestvk9777vt2ns09e36nzeftwddwf580r03c

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments