gitload
PassAudited by ClawScan on May 10, 2026.
Overview
gitload is a coherent GitHub download helper, but it relies on an external npm CLI and may use GitHub tokens for private repositories.
This skill appears benign for downloading GitHub content. Before using it, verify the npm package you are running, choose safe output directories, and only provide GitHub credentials when necessary for private repositories or rate limits.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running npx or a global npm install executes code from the npm ecosystem on the user's machine.
The skill depends on an external npm CLI that is not included or version-pinned in the reviewed artifacts. This is aligned with the skill's purpose, but users must trust the npm package they execute.
Run gitload via npx (no install needed): ```bash npx gitload-cli https://github.com/user/repo ``` Or install globally: ```bash npm install -g gitload-cli ```
Verify the npm package name and publisher before use, consider pinning a known version, and prefer npx over global install unless repeated use is needed.
A GitHub token, especially one with repo scope, can grant access to private repository contents.
The skill can use a GitHub token or the local gh CLI login to access private repositories. This is expected for private GitHub downloads, but it is sensitive credential use.
Using gh CLI (recommended) ```bash gitload https://github.com/user/private-repo --gh ``` Requires prior `gh auth login`. Using explicit token ```bash gitload https://github.com/user/repo --token ghp_xxxx ``` ... For private repos, ensure token has `repo` scope
Use the least-privileged GitHub token possible, avoid pasting tokens into shared chats or shell history, and only use authentication when needed.