China Mirror Resolver
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill appears purpose-aligned, but it can change persistent package and system mirror settings, sometimes based on web-search results, so users should review changes before allowing it to apply them.
Use this skill only if you want an agent to adjust development mirror settings. Before applying changes, ask it to show the selected mirror, exact files or commands, backups, and rollback steps; approve sudo/admin commands manually; and prefer official or widely trusted HTTPS mirrors over unknown search-result mirrors.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could change package-manager or system repository settings that affect future installs and builds.
The skill explicitly gives the agent terminal and file-write authority and tells it to modify configuration files as part of the workflow. This is purpose-aligned, but high-impact without an explicit confirmation step before applying changes.
allowed-tools: WebSearch WebFetch terminal file-read file-write ... 6. Backup original config → write new config → verify with test command
Require the agent to show the target tool, config path, diff, selected mirror, backup location, and rollback command, then get explicit user approval before writing files or running privileged commands.
A bad or untrusted mirror could influence packages, containers, source downloads, or models used in later work.
Web-search results can become persistent package/source mirrors. The shown selection criteria emphasize reachability and speed, which do not by themselves establish mirror provenance or package integrity.
4. [IF search capable] Search for latest sources ... 5. Validate ALL candidates ... pick fastest passing one ... 6. Backup original config → write new config
Prefer official or well-known institutional mirrors, verify mirror URLs against the provider's own documentation, keep HTTPS and package-signing protections enabled, and avoid automatically accepting web-search candidates solely because they are fast.
Mistakes in privileged changes could disrupt Docker, system package updates, or repository configuration.
Some supported workflows require elevated permissions to edit system configuration and restart services. This is expected for Docker/apt/yum mirror changes, but it crosses a privilege boundary.
Linux: `/etc/docker/daemon.json` ... `sudo systemctl daemon-reload && sudo systemctl restart docker` ... Edit `/etc/apt/sources.list` ... `sudo sed -i... /etc/yum.repos.d/CentOS-*.repo`
Only allow privileged commands for the specific tool you asked to fix, review backups first, and keep a clear restore path before running sudo/admin commands.