ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Gist Share

v1.0.1

Post content to GitHub Gist and get back a shareable URL. Rich context sharing between agents, operators, and humans.

0· 94·0 current·0 all-time
by@ragesaq

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for ragesaq/gist-share.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Gist Share" (ragesaq/gist-share) from ClawHub.
Skill page: https://clawhub.ai/ragesaq/gist-share
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install gist-share

ClawHub CLI

Package manager switcher

npx clawhub@latest install gist-share
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill claims to post gists (which legitimately needs the GitHub CLI or API and a PAT with gist scope), but the registry metadata lists no required binaries or environment variables. That mismatch is incoherent: a gist-posting skill reasonably needs a GITHUB_TOKEN and gh (or equivalent), yet those are not declared in the package metadata.
!
Instruction Scope
SKILL.md explicitly instructs the user/agent to set GITHUB_TOKEN and to run gh via the exec tool, and it suggests adding the token to shell startup files (e.g., ~/.zshrc). It does not instruct reading unrelated files, but it does encourage persistent storage of a secret and execution of shell commands — both of which broaden the data and file scope beyond a purely ephemeral, in-session operation.
Install Mechanism
This is an instruction-only skill with no install spec or code files, which reduces direct install-time risk. The doc suggests installing gh via platform package managers (brew/apt) — standard and expected for this functionality.
!
Credentials
The instructions require a GITHUB_TOKEN with the gist scope (appropriate for creating gists) but the skill metadata does not declare any required environment variables or primary credential. Asking the user to place a PAT in global shell profiles is disproportionate from a safety standpoint because it makes the secret broadly available to other processes and future sessions.
Persistence & Privilege
The skill is not marked always:true and does not modify other skills, which is good. However, the setup guidance suggests persisting the PAT in shell startup files, which creates long-lived credential availability outside the skill's control. Combined with normal autonomous invocation, a persisted token increases blast radius — the skill itself does not enforce or require persistence, but the doc encourages it.
What to consider before installing
This skill's purpose (posting gists) is reasonable, but the SKILL.md and the package metadata disagree: SKILL.md requires the gh CLI and a GITHUB_TOKEN (PAT) and even suggests adding it to your shell profile, while the registry metadata lists no credentials or binaries. Before installing/using: (1) verify the skill repository and author trustworthiness; (2) prefer using gh auth login or the gh credential store instead of echoing a PAT into ~/.zshrc; (3) if you must use a PAT, create a token with only the gist scope, make it short-lived or rotate it frequently, and avoid persistent storage in global shell profiles — set it only in the session where you post the gist; (4) never post secrets or sensitive data to public gists (secret gists are unindexed but still accessible by URL); and (5) if you allow agents to invoke skills autonomously, restrict tokens to minimal privileges or avoid storing them persistently so a compromised agent or process can’t reuse them.

Like a lobster shell, security has layers — review code before you run it.

latestvk975z1c95fvg70eh25xtxzyjj9841yam
94downloads
0stars
2versions
Updated 3w ago
v1.0.1
MIT-0
@ragesaq
latest
Download

gist-share

Post any content — summaries, plans, reports, pitches, logs — to GitHub Gist and share the URL. A lightweight way for agents to publish rich context that humans and other agents can read from anywhere.

Why Gists?

Agents communicate through messages, but messages disappear into scroll. A gist is:

  • Persistent — stays at a stable URL
  • Readable by anyone — no auth required for public gists
  • Markdown-rendered — GitHub renders it beautifully
  • Shareable — paste the URL anywhere

When an agent needs to hand off context to a human, another agent, or a future session — a gist beats a wall of chat text.

Setup (One-Time)

You need a GitHub Personal Access Token (PAT) with the gist scope.

Step 1: Create a PAT

  1. Go to github.com/settings/tokens
  2. Click "Generate new token (classic)"
  3. Give it a name like openclaw-gist
  4. Check the gist scope (that's all you need)
  5. Click Generate token
  6. Copy the token — you won't see it again

Step 2: Authenticate the gh CLI

OpenClaw uses the gh CLI to post gists. Set your token as an environment variable for the session:

export GITHUB_TOKEN=ghp_yourTokenHere

Or add it permanently to your shell profile (~/.bashrc, ~/.zshrc, etc.):

echo 'export GITHUB_TOKEN=ghp_yourTokenHere' >> ~/.zshrc
source ~/.zshrc

Step 3: Verify it works

gh auth status

You should see your account and gist listed under token scopes.

How to Post a Gist

Basic usage

Use the exec tool to call gh gist create:

gh gist create --public --desc "Your description here" --filename "your-file.md" - << 'EOF'
Your content here.

Supports **markdown** formatting.
EOF

With a flag for secret gists

Replace --public with --secret if the content shouldn't be publicly indexed.

Full template

gh gist create \
  --public \
  --desc "DESCRIPTION" \
  --filename "FILENAME.md" - << 'GISTEOF'
# TITLE

CONTENT GOES HERE
GISTEOF

The command returns the gist URL on success:

✓ Created public gist FILENAME.md
https://gist.github.com/USERNAME/HASH

Workflow

  1. Prepare content — write your markdown (report, summary, plan, pitch, log)
  2. Choose visibility--public for sharing freely, --secret for targeted sharing
  3. Post it — run gh gist create via exec
  4. Return the URL — share it in the conversation, send it to another agent, or log it

Example: Posting a Strategic Summary

gh gist create --public --desc "Q2 Roadmap Summary" --filename "q2-roadmap.md" - << 'EOF'
# Q2 Roadmap Summary

## Phase 1 — Foundation (April)
- Complete ClawDash MVP
- Ship ClawCanvas v1

## Phase 2 — Expansion (May)
- Launch ClawText beta
- Begin ClawTomation integration

## Phase 3 — Scale (June)
- Public launch of suite
- Partner integrations go live
EOF

Tips

  • Filename matters — use .md extension for GitHub to render markdown
  • Description is searchable — write something meaningful
  • One gist per topic — don't cram everything into one file; use focused gists
  • Update with gh gist edit GIST_ID — gists are editable if you need to revise
  • List your gistsgh gist list shows recent gists with their IDs and URLs

Troubleshooting

ProblemFix
gh: command not foundInstall via brew install gh (macOS) or apt install gh (Linux)
HTTP 401 UnauthorizedToken missing or expired — re-run setup
Token missing gist scopeRegenerate the PAT with gist scope checked
gh auth status shows invalid tokenRun gh auth login and follow the prompts

Gists: the simplest way for a claw to leave a note the world can read.

Comments

Loading comments...