Github Reader

v3.1.3

Automatically interprets GitHub repositories to generate structured reports with project stats, core features, architecture highlights, and quick links.

⭐ 0· 418·1 current·1 all-time

byKrislu@krislu1221

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for krislu1221/github-reader.

Previewing Install & Setup.

Prompt PreviewInstall & Setup

Install the skill "Github Reader" (krislu1221/github-reader) from ClawHub.
Skill page: https://clawhub.ai/krislu1221/github-reader
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install github-reader

ClawHub CLI

Package manager switcher

npx clawhub@latest install github-reader

Security Scan

VirusTotal

Benign

View report →

OpenClaw

Suspicious

medium confidence

✓

Purpose & Capability

The files and runtime instructions align with the described purpose: the code fetches GitHub API data, optionally scrapes third-party analysis (zread.ai), renders pages via a browser tool, and caches results. No unrelated credentials or exotic binaries are requested. One minor note: registry metadata indicated 'instruction-only' (no install spec) while the package actually includes code and an install script—this is plausible but should be noticed.

Instruction Scope

SKILL.md tells users to run the packaged install script and restart the agent gateway (expected). However a pre-scan found 'unicode-control-chars' in SKILL.md (prompt-injection pattern). The docs include references to local endpoints (http://localhost:8080 for GitView) and third-party zread.ai—these are expected for functionality, but the presence of unicode control characters in the skill documentation is suspicious because such characters can be used to hide or alter prompts and may attempt to manipulate model parsing. Also SECURITY_AUDIT.md and PACKAGE.md include diagnostic commands that reference local paths, but they do not directly instruct the skill to read arbitrary unrelated user files.

✓

Install Mechanism

Install is via a packaged shell script (install_v3_secure.sh) that copies the included files into a user skill directory and creates /tmp/gitview_cache. There are no external downloads, no use of URL shorteners or untrusted hosts in the installer, and files are local to the package—this is lower risk than remote installs. The install script does set permissions and creates directories in the user's home and /tmp, which is expected for a skill that caches data.

✓

Credentials

No required secrets or primary credential are declared. Environment variables referenced are all configuration flags for caching, timeouts, and concurrency (GITVIEW_*) which are proportionate to the functionality. Documentation mentions optional future support for a GITHUB_TOKEN for private repos, but that is not required now.

✓

Persistence & Privilege

The skill is not marked always:true and is user-invocable only (normal). The installer copies files into the user's skill directory and creates a cache directory; it does not request or attempt to modify other skills or global system settings. Autonomous invocation is allowed by default but not an additional privilege in this package.

Scan Findings in Context

[unicode-control-chars] unexpected: Detected control/unicode characters in SKILL.md that may be used for prompt-injection or to hide content from cursory inspection. This is not needed for a GitHub analysis skill and should be inspected in the raw file before trusting the package.

What to consider before installing

What to consider before installing: 1) Prompt-injection artifact: SKILL.md contains unicode control characters (scanner flagged 'unicode-control-chars'). Open the SKILL.md in a hex-capable editor or use a script (e.g., grep -nP '\p{C}' or hexdump) to confirm and remove any invisible characters. Treat that as a red flag until explained by the author. 2) Source trust: The package lists a GitHub repository URL placeholder and the skill's source/homepage is 'unknown' in the registry metadata. Prefer installing only from a verifiable source (official repo or known author). Verify the repository and author (Krislu / '虾软') before trusting the package. 3) Network behavior: The skill will call api.github.com and optionally zread.ai, and may use a headless browser to render pages (the 'browser' tool). If you run this skill, consider restricting its network access (or run in a sandbox) if you don't want it contacting third‑party services. The localhost GitView URL is expected but monitor to ensure no unexpected internal network access occurs. 4) Run in a safe environment first: Install and test in an isolated environment (VM or container) and monitor network traffic (tcpdump) and file writes (/tmp/gitview_cache). The installer only copies packaged files, but you should still inspect the Python files (especially github_reader_v3_secure.py) for any obfuscated or hidden code before enabling it in production. 5) Credentials: This skill does not require credentials now. Do not supply a GITHUB_TOKEN or other secrets unless you understand and accept the risk. The docs mention adding GITHUB_TOKEN to support private repos in a future release—only provide it if you trust the package and host. 6) If you need to move forward: (a) inspect SKILL.md and python source for hidden characters or obfuscation, (b) verify the package repository and recent commits, (c) run static analysis / lint and run the skill with restricted network and filesystem permissions, (d) confirm the security claims in SECURITY_AUDIT.md by running the test cases locally. If the unicode-control characters are explained (benign encoding artifact) and the package origin is verified, this assessment would likely move to 'benign'.

Like a lobster shell, security has layers — review code before you run it.

latestvk97attn1b0mvmaezmvp0et3ccn83cesm

418downloads

0stars

11versions

Updated 9h ago

v3.1.3

MIT-0

GitHub Reader Skill v3.1

深度解读 GitHub 项目 / Deeply Analyze GitHub Projects

📖 自动解读 GitHub 项目，生成结构化分析报告
📖 Automatically analyze GitHub projects and generate structured analysis reports

🚀 安装 / Installation

cd github-reader/
./install_v3_secure.sh

然后重启你的 Agent gateway / Then restart your Agent gateway:

# OpenClaw / 其他兼容平台 / Other compatible platforms
openclaw gateway restart
# 或 / or
<your-platform> gateway restart

💡 用法 / Usage

命令方式 / Command Mode

/github-read microsoft/BitNet

自然语言 / Natural Language

帮我解读这个仓库：https://github.com/HKUDS/nanobot
Help me analyze this repo: https://github.com/HKUDS/nanobot

简短格式 / Short Format

分析 HKUDS/nanobot
Analyze HKUDS/nanobot

📊 输出示例 / Output Example

好的！已经抓取到相关项目的详细信息，让我来为您解读：
Great! I've captured detailed information about the project, let me analyze it for you:

# 📦 microsoft/BitNet 深度解读报告
# microsoft/BitNet In-depth Analysis Report

> **分析时间 / Analysis Time**: 2026-03-13 01:27  
> **数据来源 / Data Sources**: Zread 深度解读 + 技术社区 + 互联网信息，仅供参考  
> **Data Sources**: Zread in-depth analysis + Tech community + Internet information, for reference only

---

## 💡 一句话介绍 / One-Sentence Introduction
BitNet.cpp 是微软官方推出的 1 比特量化大语言模型推理框架...  
BitNet.cpp is Microsoft's official 1-bit quantized LLM inference framework...

## 📊 项目卡片 / Project Cards
| 指标 / Metric | 值 / Value |
|------|-----|
| ⭐ Stars | 12.5k |
| 🍴 Forks | 2.1k |
| 📝 Issues | 156 |
| 🐍 语言 / Language | Python |
| 📄 许可证 / License | MIT License |

## 🔗 快速链接 / Quick Links
| 平台 / Platform | 链接 / Link | 说明 / Description |
|------|------|------|
| **GitHub** | https://github.com/microsoft/BitNet | 源代码仓库 / Source code repository |
| **Zread** | https://zread.ai/microsoft/BitNet | 📖 深度解读（推荐）/ In-depth analysis (Recommended) |
| **GitView** | `http://localhost:8080/?repo=microsoft/BitNet` | 🚀 快速概览（可选）/ Quick overview (Optional) |

> **注意 / Note**: 
> - Zread 是第三方深度代码解读服务（可选）/ Zread is a third-party code analysis service (optional)
> - GitView 需要本地运行（可选）/ GitView requires local setup (optional)
> - GitHub 是必需的代码源 / GitHub is the required code source

🛡️ 安全特性 / Security Features (v3.0)

P0 级别（高危修复）/ P0 Level (Critical Fixes)

✅ 输入验证 / Input Validation - 防止 URL 注入 / Prevents URL injection
✅ 安全 URL 拼接 / Safe URL Joining - 防止 SSRF / Prevents SSRF attacks
✅ 缓存数据验证 / Cache Data Validation - 防止投毒 / Prevents poisoning
✅ 路径安全检查 / Path Security Check - 防止遍历 / Prevents traversal

P1 级别（中危修复）/ P1 Level (Medium Fixes)

✅ 浏览器并发限制 / Browser Concurrency Limit
✅ API 频率限制 / API Rate Limiting
✅ 超时控制 / Timeout Control

⚙️ 配置 / Configuration

环境变量 / Environment Variables

# 缓存配置 / Cache Configuration
export GITVIEW_CACHE_DIR="/tmp/gitview_cache"  # 缓存目录 / Cache directory
export GITVIEW_CACHE_TTL="24"                   # 缓存时间（小时）/ Cache TTL (hours)
export GITVIEW_CACHE_MAX_SIZE="1"               # 最大缓存文件（MB）/ Max cache file (MB)

# 性能配置 / Performance Configuration
export GITVIEW_MAX_BROWSER="3"                  # 最大并发浏览器 / Max concurrent browsers
export GITVIEW_GITHUB_DELAY="1.0"               # API 调用间隔（秒）/ API call delay (seconds)

# 超时配置 / Timeout Configuration
export GITVIEW_BROWSER_TIMEOUT="30"             # 浏览器超时（秒）/ Browser timeout (seconds)
export GITVIEW_GITHUB_TIMEOUT="10"              # GitHub API 超时（秒）/ GitHub API timeout (seconds)

📈 性能指标 / Performance Metrics

场景 / Scenario	耗时 / Time	备注 / Notes
首次分析 / First analysis	10-15 秒 / seconds	抓取 + 分析 / Fetch + Analyze
缓存命中 / Cache hit	< 1 秒 / second	直接返回 / Direct return
缓存过期 / Cache expiry	12-24 小时 / hours	可配置 / Configurable

📁 文件结构 / File Structure

github-reader/
├── github_reader_v3_secure.py       # v3.0 主代码 / v3.0 Secure main code
├── __init__.py                      # Skill 注册 / Skill registration
├── clawhub.json                     # ClawHub 元数据 / ClawHub metadata
├── SECURITY.md                      # 安全指南 / Security guide
├── RELEASE_NOTES.md                 # 发布说明 / Release notes
├── README_BILINGUAL.md              # 简洁中英对照 / Concise bilingual README
├── README_EN_CN.md                  # 详细中英对照 / Detailed bilingual README
├── PACKAGE.md                       # 打包说明 / Package guide
└── install_v3_secure.sh             # 安装脚本 / Installation script

🔧 技术栈 / Tech Stack

语言 / Language: Python 3.9+
依赖 / Dependencies: OpenClaw compatible platform
工具 / Tools: web_fetch, browser
缓存 / Cache: 文件系统缓存（JSON 格式）/ File system cache (JSON format)
并发 / Concurrency: asyncio 异步编程 / asyncio async programming

📞 支持 / Support

GitHub Issues: https://github.com/your-repo/github-reader-skill/issues
讨论区 / Discussions: https://github.com/your-repo/github-reader-skill/discussions
文档 / Documentation: See README_EN_CN.md for full documentation

📄 许可证 / License

MIT License

👨💻 作者 / Author

Krislu + 🦐 虾软

版本 / Version: v3.1（安全加固版 / Security Hardened）
最后更新 / Last Updated: 2026-03-13

Comments

Loading comments...