ClawHub

GitHub Skill Updater

v1.0.0

检查并更新通过 GitHub git clone 安装的 OpenClaw skills。适用于用户提到“更新skill”“更新 skill”“检查 skill 是否有新版本”“GitHub 安装的 skill 有没更新”“帮我检查本地 skills 是否落后”“更新 git clone 装的 skill”“拉取...

0· 73·2 current·2 all-time
byvicwang@viccwang
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description describe checking and updating git-cloned skills and the code (manage_github_skill.py) implements exactly that using git CLI calls. There are no unrelated env vars, binaries, or network endpoints declared.
Instruction Scope
SKILL.md and the script limit actions to detecting repo status and performing safe updates (fast-forward for branches, tag checkout). However, the runtime commands perform 'git fetch'/'git pull'/'git checkout' which will contact remotes and can modify local skill directories. This behavior is expected for its purpose but is destructive if used improperly, so users should review results before applying updates.
Install Mechanism
No install spec or remote downloads are present; the skill is instruction + local Python script. It does not fetch arbitrary code from unknown URLs during install, so install risk is low.
Credentials
The skill declares no required environment variables or secrets. Note: git network operations implicitly use the user's git credentials (SSH keys, credential helpers, or stored HTTPS credentials) when contacting origin; this is expected but worth being aware of.
Persistence & Privilege
always is false. The skill can be invoked autonomously (platform default). If invoked, it can run git operations that change local files. This matches its purpose but means you should be comfortable with an agent having the ability to update local skill repos.
Assessment
This skill appears to do exactly what it says: check local, git-cloned skills and optionally fast-forward or switch tags. Before running updates: (1) run the check mode (or use --json) to inspect which repos are out-of-date; (2) verify remote URLs are trusted (it will contact origins and use your git credentials); (3) ensure you have backups or can revert changes if an update breaks a skill; (4) prefer manual invocation for update operations unless you trust autonomous agent actions. If you want to limit risk, run only 'check' from the agent and perform updates yourself from a shell.

Like a lobster shell, security has layers — review code before you run it.

latestvk97cp9ecz28jkreey8s0fyyz058416wj

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments