createrepo
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This instruction-only skill is coherent with RPM repository management, but its examples can change package repositories, signing state, and package-manager trust settings if run.
This looks like a benign instruction-only RPM repository management skill. Before using it, make sure you understand each shell command, run it only against intended repository paths, protect signing keys, and avoid disabling package signature checks except for temporary local testing.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running these commands on the wrong path or repository ID could overwrite metadata or mirror unwanted packages.
The skill gives shell commands that modify repository metadata and sync remote repository content. This is expected for RPM repository management, but the commands should be applied only to intended repositories.
createrepo --update /path/to/repo ... reposync --repoid=fedora --download_path=/path/to/mirror
Confirm paths, repository IDs, and target directories before running any command, especially sync or update operations.
If the wrong key or package set is used, clients may trust packages that were not intended to be trusted.
The signing examples rely on local RPM/GPG trust and signing authority. That is central to repository signing, but it can affect which packages systems trust.
rpm --import /path/to/RPM-GPG-KEY-myrepo ... for rpm in /path/to/repo/Packages/*.rpm; do rpm --addsign "$rpm"; done
Use dedicated signing keys, protect private keys, and verify the package list before bulk-signing RPMs.
Unsigned or unverified packages from the local repository could be installed later if the configuration is used as-is.
The local DNF repository example enables a repository while disabling package signature checks. If copied into system configuration, this can affect future package installs from that repository.
[mylocalrepo]\nname=My Local Repository\nbaseurl=file:///path/to/repo\nenabled=1\ngpgcheck=0
Prefer signing local repositories and enabling gpgcheck/repo_gpgcheck when the repository is used beyond temporary testing.
A compromised or misconfigured OS package source could install unsafe tooling.
The skill instructs installation of system packages from the user's configured package repositories. This is expected for the skill, but it depends on the trustworthiness of those package sources.
dnf install createrepo_c deltarpm ... zypper install createrepo_c ... apt-get install createrepo-c
Install from trusted OS repositories and verify package sources before installing repository-management tools.