github-dns-helper
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This skill is a real GitHub connectivity helper, but it asks to weaken system hosts-file permissions and can rewrite system DNS settings from remote or custom sources.
Install or run only if you understand that it can change system-wide DNS behavior. Avoid the suggested permanent hosts-file ownership change, do not use untrusted custom URLs, and review any hosts entries before applying them.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
After this change, other programs running as the user could alter system DNS mappings without an admin prompt, which can redirect traffic or break connectivity.
The skill instructs users to transfer ownership of a protected system hosts file to the current user so future writes do not need administrator approval.
sudo chown $(whoami):staff /etc/hosts ... sudo chmod 644 /etc/hosts ... 执行后,脚本将不再需要 sudo 权限,可以免密码运行
Do not permanently change /etc/hosts ownership. Prefer a one-time administrator-approved write, restore root/System ownership after use, and review exact hosts changes before applying them.
If a malicious or malformed custom hosts URL is supplied, it could execute arbitrary local shell commands under the user's account.
Custom URL values are interpolated into a shell command with shell=True and no quoting or validation, allowing shell metacharacters in a URL to become commands.
parser.add_argument('-u', '--urls', nargs='+', help='自定义 hosts URL 地址列表') ... subprocess.run(cmd, shell=True, capture_output=True, text=True) ... run_command(f"curl -s --max-time 10 {url}")Replace shell=True string commands with argument-list subprocess calls, validate URLs strictly, and do not pass untrusted values to a shell.
A compromised or inappropriate hosts source could cause system-wide DNS redirection, not just fix GitHub access.
The script fetches hosts entries from several remote sources and accepts non-comment lines without visible domain whitelisting or integrity verification before using them for the repair.
DEFAULT_HOSTS_URLS = ["https://raw.hellogithub.com/hosts", "https://fastly.jsdelivr.net/gh/AutismSuperman/github-dns/hosts", ...] ... if len(parts) >= 2: lines.append(line)
Only use trusted sources, verify or pin the expected content, restrict accepted entries to GitHub-related domains, and show the planned hosts changes for user approval before writing.