createrepo
v1.0.1Create and manage local RPM YUM/DNF repositories with metadata generation, incremental updates, multi-architecture support, syncing, and GPG signing.
⭐ 0· 79·1 current·1 all-time
bywei dong@weidongkl
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The name/description (createrepo, YUM/DNF repo management) matches the SKILL.md content: it documents createrepo/createrepo_c, reposync, repoquery, deltarpm, rpm, and gpg usage. No unrelated services, env vars, or binaries are requested.
Instruction Scope
Instructions are narrowly scoped to creating/updating/syncing RPM repos and signing/verification. They do reference system paths (/etc/yum.repos.d, /path/to/repo) and commands that modify system state and require elevated privileges (rpm --addsign, importing keys, writing repodata). This is expected for the purpose but is capable of making persistent system changes.
Install Mechanism
No install spec included (instruction-only). The SKILL.md recommends installing standard OS packages (createrepo_c, deltarpm) via system package managers — these are expected and low-risk recommendations when coming from official repos.
Credentials
The skill declares no environment variables or credentials, which matches the content. However, several instructions assume access to GPG keys/agent and ability to sign packages (private key material) and to modify system repo files — these are sensitive operations even though no secrets are explicitly requested.
Persistence & Privilege
always is false and the skill is user-invocable only. There is no install-time persistence or modifications to other skills/configs declared. Autonomous invocation is allowed (default) but not combined with other concerning flags.
Assessment
This skill appears coherent and matches its description, but it is a set of instructions that run real system commands: (1) commands like createrepo, reposync, rpm --addsign, and gpg will need root or file-system access and can modify repository metadata and package signatures — run them in a controlled environment or container if unsure; (2) signing requires access to your GPG private keys or agent — do not expose private keys unintentionally; (3) follow recommended package installs from your OS vendor repositories (not untrusted URLs); (4) review any paths and commands before executing, and test on a non-production system first. If you want the skill to operate automatically, consider whether granting it access to signing keys or root-level actions is appropriate.Like a lobster shell, security has layers — review code before you run it.
createrepovk9777x1a889jmj8js69h9g82jx83f940dnfvk9777x1a889jmj8js69h9g82jx83f940latestvk9777x1a889jmj8js69h9g82jx83f940repositoryvk9777x1a889jmj8js69h9g82jx83f940rpmvk9777x1a889jmj8js69h9g82jx83f940yumvk9777x1a889jmj8js69h9g82jx83f940
License
MIT-0
Free to use, modify, and redistribute. No attribution required.