ClawHub

GitCode API Usage

v1.0.1

Provides Python SDK access to GitCode REST API with sync/async clients, repo helpers, and CLI scripts for managing repos, pulls, users, and searches.

1· 40·0 current·0 all-time
byHugo@trenza1ore
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
Requires OAuth tokenRequires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description, code files, and documentation consistently implement a GitCode Python SDK helper and CLI. However the skill manifest/registry metadata lists no required env vars or binaries while SKILL.md contains an internal metadata block that declares python/pip as required binaries and GITCODE_ACCESS_TOKEN as primaryEnv — this mismatch is likely an authoring/packaging omission but is inconsistent.
Instruction Scope
SKILL.md instructs installing the published package from PyPI, using an access token (GITCODE_ACCESS_TOKEN) or passing api_key explicitly, and optionally supplying a decrypt function. Runtime instructions and included scripts only import the SDK, read the token env var, and call API endpoints. There are no instructions to read unrelated files, gather extra system context, or POST data to unexpected endpoints.
Install Mechanism
There is no automated install spec in the registry (instruction-only install). SKILL.md recommends 'pip install -U gitcode-api' (PyPI) and links to GitHub and docs — a standard, low-risk approach. No downloads from untrusted arbitrary URLs or extract operations are present in the package files.
Credentials
The skill legitimately needs an access token (GITCODE_ACCESS_TOKEN) to call the GitCode API and the scripts check that variable. That credential request is proportional. The concern is the mismatch between the registry's declared 'required env vars: none' and the SKILL.md's 'primaryEnv: GITCODE_ACCESS_TOKEN' — users may be surprised unless the registry metadata is corrected.
Persistence & Privilege
The skill does not request always:true or any elevated persistent presence. It does not modify other skills or system-wide settings. The agent can invoke it autonomously (default), which is normal for skills and not a unique concern here.
Assessment
This skill appears to do what it says: small SDK docs and helper scripts that use a GitCode access token. Before installing or providing credentials: (1) verify the PyPI project and GitHub repository links referenced in SKILL.md match the package you expect and review the package source on those sites, (2) install into a virtualenv to avoid changing your global Python environment, (3) give the token only the least privileges necessary and avoid exporting it globally — prefer process-scoped or CI/secret-manager injection, (4) if you want to use an encrypted token, ensure you supply a trusted decrypt function and understand where decryption happens, and (5) ask the publisher to correct the registry metadata (declare python/pip and GITCODE_ACCESS_TOKEN) so requirements are not misleading. If you want extra assurance, inspect the published gitcode-api package source on PyPI/GitHub for any unexpected code before running pip install.

Like a lobster shell, security has layers — review code before you run it.

latestvk97b462rfr6bzam8pm6c4sspr984y1m9

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments