ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

gist-post

v1.0.1

Post content to GitHub Gist and get back a shareable URL. Rich context sharing between agents, operators, and humans.

0· 95·0 current·0 all-time
by@psiclawops

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for psiclawops/gist-post.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "gist-post" (psiclawops/gist-post) from ClawHub.
Skill page: https://clawhub.ai/psiclawops/gist-post
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install gist-post

ClawHub CLI

Package manager switcher

npx clawhub@latest install gist-post
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill claims to post gists and the SKILL.md describes using the GitHub CLI and a GITHUB_TOKEN. However, the registry metadata lists no required environment variables or primary credential and no required binaries — this is inconsistent: a GitHub PAT (GITHUB_TOKEN) and the `gh` CLI are necessary for the described functionality.
Instruction Scope
The SKILL.md stays on-purpose: it tells the agent to run `gh gist create` (via exec) to post content and return the gist URL. It does not instruct reading unrelated files or exfiltrating data to unexpected endpoints. Using exec to run commands is expected for an instruction-only CLI-based skill.
Install Mechanism
This is an instruction-only skill with no install spec or code to write to disk, which is the lowest-risk install model. The README suggests installing `gh` via system package managers, but the skill itself does not perform any downloads or installs.
!
Credentials
The SKILL.md and README require a GitHub Personal Access Token with the `gist` scope (GITHUB_TOKEN) and suggest adding it to shell profiles, but the skill metadata does not declare this required env var or a primary credential. That omission is disproportionate and may cause accidental misconfiguration or token leakage if users follow the README recommendations without knowing the skill expects the token.
Persistence & Privilege
The skill does not request permanent presence (always is false), does not modify other skills or system-wide settings, and does not declare config paths. Normal autonomous invocation is allowed (platform default) but not by itself a reason to deny the skill.
What to consider before installing
This skill appears to do what it says (post content to GitHub Gist) but the registry metadata omitted key runtime requirements. Before installing: - Expect to provide a GitHub Personal Access Token with only the `gist` scope (set GITHUB_TOKEN). Treat the token as sensitive. - Ensure the agent will prompt you before posting any content; autonomous posting could leak sensitive data. If you want manual confirmation, require explicit user approval in agent settings. - Install the `gh` CLI on hosts that will run this skill. The skill assumes `gh` is available and will use the `exec` tool to run it. - Prefer `--secret` for sensitive content and audit any gists created to ensure they don't expose private data. - If you plan to publish this skill in a shared registry, ask the author to update the skill metadata to declare the required GITHUB_TOKEN and the dependency on `gh` so the requirements are transparent.

Like a lobster shell, security has layers — review code before you run it.

latestvk97bv17fvem14a898f7pqd6e318431vr
95downloads
0stars
2versions
Updated 3w ago
v1.0.1
MIT-0
@psiclawops
latest
Download

gist-post

Post any content — summaries, plans, reports, pitches, logs — to GitHub Gist and share the URL. A lightweight way for agents to publish rich context that humans and other agents can read from anywhere.

Why Gists?

Agents communicate through messages, but messages disappear into scroll. A gist is:

  • Persistent — stays at a stable URL
  • Readable by anyone — no auth required for public gists
  • Markdown-rendered — GitHub renders it beautifully
  • Shareable — paste the URL anywhere

When an agent needs to hand off context to a human, another agent, or a future session — a gist beats a wall of chat text.

Setup

You need a GitHub Personal Access Token scoped to gist, set as GITHUB_TOKEN in your environment. Ask your agent to walk you through creating one if you haven't already.

How to Post a Gist

Use the exec tool to call gh gist create:

gh gist create --public --desc "DESCRIPTION" --filename "FILENAME.md" - << 'EOF'
# Your content here

Supports **markdown** formatting.
EOF

Use --secret instead of --public if the content shouldn't be publicly indexed.

The command returns the gist URL on success:

✓ Created public gist FILENAME.md
https://gist.github.com/USERNAME/HASH

Workflow

  1. Prepare content — write your markdown
  2. Choose visibility--public or --secret
  3. Post it — run gh gist create via exec
  4. Return the URL — share it in the conversation, send it to another agent, or log it

Tips

  • Use .md extension in --filename so GitHub renders markdown
  • Write a meaningful --desc — it's searchable
  • Update an existing gist: gh gist edit GIST_ID
  • List your gists: gh gist list

Gists: the simplest way for a claw to leave a note the world can read.

Comments

Loading comments...