ClawHub

test display name

v1.0.0

Interact with GitHub using the gh CLI to check PR CI status, view workflow runs and logs, and perform advanced API queries with JSON output.

0· 74·0 current·0 all-time
by@xdlrt
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The SKILL.md describes interacting with GitHub via the gh CLI, which matches the skill name/description. However, the skill does not declare the gh binary as a required dependency even though all commands use it — the binary requirement is implied but not declared.
Instruction Scope
Instructions are limited to running gh commands against repositories, PRs, runs, and the API. They don't instruct reading arbitrary files, scanning unrelated system state, or sending data to external endpoints other than GitHub via gh.
Install Mechanism
No install spec is present (instruction-only), so nothing is written to disk by the skill itself. This is the lowest-risk install pattern and is consistent with the skill's minimal scope.
Credentials
The skill declares no required environment variables or primary credential, but using gh requires the user/agent to be authenticated to GitHub (gh uses stored credentials or GH_TOKEN). The SKILL.md does not explain authentication expectations. This implicit credential requirement is proportional but should be made explicit to users.
Persistence & Privilege
The skill does not request persistent presence (always is false) and contains no code that would modify agent configuration or other skills. Autonomous invocation is allowed by default, which is normal for skills and not a problem here.
Assessment
This skill is basically a set of recipes for using the gh CLI. Before installing/using it: (1) ensure the gh CLI is installed on any agent that will run it; (2) ensure the gh client is authenticated with appropriate GitHub credentials/tokens (use least privilege scopes); (3) verify the skill source/owner (there's a mismatch in the small metadata file vs. registry metadata — confirm the publisher you trust); (4) avoid granting broader tokens than needed since gh api calls can access many repo/org resources; and (5) you can test commands manually on a non-sensitive repo to confirm behavior before enabling autonomous runs.

Like a lobster shell, security has layers — review code before you run it.

latestvk97aprwg3d821kcm8103vbjzp583tygm

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments