github-dns-helper
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: github-dns-helper Version: 1.0.3 The skill facilitates modifying the system's hosts file to resolve GitHub access issues but includes highly insecure instructions in SKILL.md that advise users to change the ownership of /etc/hosts to a non-root user (e.g., sudo chown $(whoami) /etc/hosts). This permanently weakens system security, allowing any user-level process to redirect network traffic without authentication. Additionally, the script scripts/fix_github_dns.py fetches host configurations from various third-party URLs (e.g., raw.hellogithub.com, ghproxy.com) and executes system commands via shell=True, posing risks of DNS hijacking if the sources are compromised or shell injection.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
After this setup, other programs running as the same user could silently change where important domains resolve, which could break networking or enable phishing-style redirects.
The skill instructs users to change ownership of the protected hosts file so future edits can happen without administrator approval. That permanently expands write access to a system-wide DNS configuration file.
sudo chown $(whoami):staff /etc/hosts sudo chmod 644 /etc/hosts ... sudo chown $(whoami):$(whoami) /etc/hosts sudo chmod 644 /etc/hosts ... 执行后,脚本将不再需要 sudo 权限,可以免密码运行
Do not change ownership of /etc/hosts. Prefer a one-time sudo run, an administrator prompt for each write, or restore root/admin ownership immediately after the repair.
If a malicious or malformed custom hosts URL is used, it could execute commands on the user's machine under the user's account.
A custom URL argument is interpolated into a shell command and executed with shell=True. A URL containing shell metacharacters could cause unintended local commands to run.
parser.add_argument('-u', '--urls', nargs='+', help='自定义 hosts URL 地址列表')
...
result = subprocess.run(cmd, shell=True, capture_output=True, text=True)
...
run_command(f"curl -s --max-time 10 {url}")Avoid using custom URLs unless fully trusted. The script should call subprocess with an argument list, avoid shell=True, and validate URLs before use.
If a remote hosts source or proxy is compromised, the system hosts file could be updated with incorrect mappings that affect browsing and developer tools system-wide.
The script downloads hosts entries from several third-party URLs and accepts non-comment lines without visible domain allowlisting or integrity checks before using them for hosts-file repair.
DEFAULT_HOSTS_URLS = [
"https://raw.hellogithub.com/hosts",
"https://fastly.jsdelivr.net/gh/AutismSuperman/github-dns/hosts",
"https://ghp.ci/https://raw.hellogithub.com/hosts",
"https://mirror.ghproxy.com/https://raw.hellogithub.com/hosts",
"https://ghproxy.com/https://raw.hellogithub.com/hosts"
]
...
if len(parts) >= 2:
lines.append(line)Use a trusted, pinned source where possible, validate that entries only target expected GitHub-related domains, show the proposed changes to the user, and keep an easy rollback path.