ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Github repository quickstart

v1.0.0

Use when the user wants a fast, low-friction onboarding guide for an unfamiliar GitHub repository. Trigger when a GitHub repo URL is provided, or when the us...

0· 102·0 current·0 all-time
by@starquakee

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for starquakee/github-repo-quickstart.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Github repository quickstart" (starquakee/github-repo-quickstart) from ClawHub.
Skill page: https://clawhub.ai/starquakee/github-repo-quickstart
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install github-repo-quickstart

ClawHub CLI

Package manager switcher

npx clawhub@latest install github-repo-quickstart
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, description, and runtime instructions align: the skill wants to inspect a GitHub repo tree, manifests, CI/Dockerfiles, and releases and produce a compact quickstart. The declared tool dependency (a GitHub MCP) matches this purpose.
Instruction Scope
SKILL.md stays within the stated purpose: it instructs fetching repo structure, analyzing dependencies, locating entrypoints, and checking releases. It does not request unrelated files, host credentials, or system-level secrets in the text.
Install Mechanism
Instruction-only skill with no install spec or code files: lowest install risk. Nothing is written to disk by the skill itself.
!
Credentials
The skill declares a dependency on an MCP tool and agents/openai.yaml points to an external URL: https://api.githubcopilot.com/mcp/. While a remote GitHub-like MCP is reasonable for the task, that endpoint is not the standard GitHub API (api.github.com) and is operated externally — repository contents or metadata may be transmitted to that service. No environment variables or credentials are requested, but the external transport is the main proportionality/privacy concern.
Persistence & Privilege
always:false (good). policy.allow_implicit_invocation:true is set, which allows autonomous invocation — this is normal for skills but increases the blast radius if the external MCP is untrusted. The skill does not request persistent system privileges or modify other skills.
What to consider before installing
This skill appears to do what it says (produce a compact repo quickstart) and doesn't request local credentials, but it relies on a remote MCP endpoint (https://api.githubcopilot.com/mcp/) to fetch repository structure. Before installing or using it: 1) confirm you trust that MCP operator and its privacy policy — repository source files and metadata may be sent to that service; 2) avoid running it on private or sensitive repositories unless you're sure the endpoint is authorized to receive that data; 3) consider asking the publisher for an official homepage or source repo (none is provided) or request it be pointed to the official GitHub API instead; 4) if you require higher assurance, prefer a local/offline analysis workflow or audit the agent's MCP requests in a controlled environment. Because the publisher is unknown and the external endpoint is nonstandard, I mark this as suspicious (medium confidence).

Like a lobster shell, security has layers — review code before you run it.

latestvk977dnx2r3jhn0mc4v51kwzsqx839q3h
102downloads
0stars
1versions
Updated 1mo ago
v1.0.0
MIT-0
@starquakee
latest
Download

GitHub Repo Quickstart

Overview

This skill produces a compressed, developer-first onboarding guide for an unfamiliar GitHub repository. It is for cases where the user wants to understand the repo quickly and start using it immediately, without reading the entire README or source tree.

This document stays in English. Actual user-facing output must follow the user's language by default. If the user explicitly requests another language, follow the user's explicit request instead. This rule applies to headings, explanations, directory-tree annotations, pitfalls, and all other visible output.

Required Workflow

When the user provides a GitHub repository URL, execute the workflow in this exact order. Do not skip a step unless the repository is inaccessible.

1. Fetch_Repo_Skeleton

Goal: identify the repo shape before interpreting details.

Collect:

  • Primary language or languages
  • Frameworks and runtime family
  • Monorepo or single-project layout
  • Top-level directory tree
  • Build files, package manifests, Docker files, CI files, env examples, and config roots

If an environment provides a helper literally named Fetch_Repo_Skeleton, use it first. Otherwise emulate it with GitHub MCP, repository tree inspection, and manifest discovery.

2. Analyze_Dependencies

Goal: understand how the repo is expected to run.

Collect:

  • Package managers and dependency manifests
  • Runtime versions from files such as .nvmrc, .python-version, go.mod, Cargo.toml, pyproject.toml, Dockerfiles, toolchain files, or CI configs
  • Environment setup hints
  • Preferred local setup path
  • Whether Docker or Docker Compose is the safest path
  • Hidden system dependencies and likely conflicts

If an environment provides a helper literally named Analyze_Dependencies, use it first. Otherwise infer from manifests, Docker files, lockfiles, CI, and task runners.

3. Locate_Entrypoints

Goal: show the shortest path into the core business logic.

Collect:

  • Main server, CLI, worker, or library entrypoints
  • Boot sequence: config load, dependency wiring, database or cache initialization, HTTP or RPC server startup, command dispatch, job loop, or request pipeline
  • One or two files the user should read first

If an environment provides a helper literally named Locate_Entrypoints, use it first. Otherwise infer from main.*, cmd/, src/main.*, framework boot files, router setup, and executable targets.

4. Check_Releases_And_Health

Goal: prevent the user from onboarding onto a dead or misleading version.

Collect:

  • Latest usable release or latest stable tag
  • Direct release link
  • Maintenance signal: active, slow-moving, or likely unmaintained
  • Evidence such as recent commits, release cadence, issue activity, or archived status

If an environment provides a helper literally named Check_Releases_And_Health, use it first. Otherwise inspect GitHub releases, tags, recent commits, and repository metadata.

Operating Rules

  • Never copy the README verbatim. Distill and verify.
  • Favor primary evidence from the repository itself over marketing language.
  • If Docker exists and looks maintained, recommend Docker first.
  • If Docker exists but is obviously stale or incomplete, say so and prefer the local path.
  • Prefer commands that are directly copy-pasteable.
  • Be explicit about version traps, OS-level dependencies, GPU or CUDA requirements, private submodules, generated code, or outdated docs.
  • If evidence is incomplete, say what is confirmed and what is inferred.
  • Keep the answer extremely compact. The reader is a developer, not a stakeholder.
  • Match the user's language for all user-visible wording.
  • If the user's message is mixed-language, follow the dominant language unless the user explicitly asks otherwise.

Output Contract

Return a Markdown document titled Repository Quickstart Guide, but translate the title and section headings into the user's language unless the user explicitly asked for English. Use the following section structure and keep the tone professional, direct, and practical.

1. One-Minute Overview

Include:

  • Core Positioning: one sentence on what the repo does and what pain it solves
  • Tech Stack: main language plus primary framework or runtime shape
  • Project Health: maintenance status, latest release version, and direct download or release link

2. Architecture & Tree

Requirements:

  • Show only the core tree
  • Omit tests, fixtures, static assets, screenshots, and low-signal files unless they are essential to bootstrapping
  • Every important directory or file in the tree must have a brief annotation in the user's language

Example style:

repo/
├── cmd/                  # Stores executable entrypoints
├── internal/             # Core business logic
├── pkg/                  # Reusable shared libraries
├── configs/              # Config files and templates
└── Dockerfile            # Container startup path

3. Quick Start

Include:

  • The safest environment recommendation
  • Docker-first commands if Docker is the best option
  • Clone and dependency-install commands
  • Run commands
  • A short Pitfalls subsection with only high-value traps

Command blocks must be directly executable and minimal.

4. Core Logic Navigator

Include:

  • A direct sentence equivalent to If you want to understand the core logic, start from ...
  • The first one or two files to read
  • A short execution-flow summary in order
  • A practical reading path, not an exhaustive architecture essay

Response Style

  • Keep SKILL.md in English, but generate user-facing output in the user's language
  • Be concise, specific, and implementation-oriented
  • Prefer file paths over vague descriptions
  • Avoid generic praise and filler
  • Do not overwhelm the user with exhaustive subsystem coverage
  • Optimize for helping the user start coding in minutes

Comments

Loading comments...