gitload
Security checks across malware telemetry and agentic risk
Overview
This is a coherent GitHub downloader skill, but it relies on an external npm CLI and may use GitHub tokens, so users should verify the package and use limited credentials.
Install only if you trust the gitload-cli npm package and understand that authenticated use may expose a GitHub token to that CLI. Use least-privilege GitHub credentials, avoid downloading into important directories without checking paths, and review any downloaded project before running install or build commands.
VirusTotal
53/53 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the skill may download and run code from npm that was not reviewed as part of this artifact set.
The skill depends on an external npm package that is not included in the reviewed artifacts and is not pinned to a specific version.
Run gitload via npx (no install needed): ```bash npx gitload-cli https://github.com/user/repo ``` Or install globally: ```bash npm install -g gitload-cli ```
Verify the npm package and publisher before use, prefer a pinned/audited version where possible, and avoid passing sensitive tokens to an untrusted package.
A GitHub token can grant access to private repositories, and passing it to a CLI gives that CLI access to the token for the requested operation.
The skill documents use of GitHub personal access tokens or environment variables for authenticated downloads.
Using explicit token ```bash gitload https://github.com/user/repo --token ghp_xxxx ``` Using environment variable ```bash export GITHUB_TOKEN=ghp_xxxx gitload https://github.com/user/repo ```
Use fine-grained, least-privilege tokens; prefer established credential flows such as gh auth when appropriate; avoid putting real tokens directly in shell history; revoke tokens when no longer needed.
If the downloaded project is untrusted, running npm install may execute dependency or package scripts on the local machine.
The example goes beyond downloading files and suggests installing dependencies from downloaded project content, which can run package lifecycle scripts.
Scaffold from a template folder ```bash gitload https://github.com/org/templates/tree/main/react-starter -o ./my-app cd my-app && npm install ```
Inspect downloaded code and package.json before running install commands, and consider using safer install options such as --ignore-scripts when working with untrusted repositories.