ClawHub

Github Xiaoshu

v1.0.0

Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.

0· 61·0 current·0 all-time
by@xiaomaju-888
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The skill's description and SKILL.md consistently show usage of the 'gh' CLI for PRs, runs, issues, and gh api queries. However, the skill metadata lists no required binaries while the instructions assume the 'gh' CLI is available — a minor mismatch but not a substantive security concern.
Instruction Scope
SKILL.md only instructs running 'gh' commands against GitHub repos and using --repo or URLs; it does not direct reading unrelated files, accessing other environment variables, or exfiltrating data to external endpoints. Examples shown are primarily read/query commands.
Install Mechanism
There is no install specification (instruction-only), so nothing is written to disk by the skill itself. This is the lowest-risk installation model. It implicitly relies on the environment already having the 'gh' CLI installed.
Credentials
The skill declares no required environment variables or credentials. In practice, the 'gh' CLI requires authentication (e.g., gh auth login or GH_TOKEN in the environment) to perform authenticated operations; the skill correctly does not request secrets itself but will depend on whatever GitHub credentials the user has configured for 'gh'.
Persistence & Privilege
The skill is not always-enabled, is user-invocable, and does not request persistent system privileges or modify other skills' configs. Autonomous invocation is allowed (platform default) but the skill doesn't request additional persistent presence.
Assessment
This skill is an instruction-only helper for the GitHub 'gh' CLI. Before installing, ensure: 1) you have the 'gh' CLI installed on any agent runner where it will be used (the SKILL.md assumes it but the metadata doesn't declare it); 2) your 'gh' is authenticated (it will use your existing gh auth or environment GH_TOKEN), so be aware the agent will run commands with whatever repo permissions your configured credentials grant; 3) the SKILL.md examples are mostly read-only, but 'gh' can modify issues/PRs if the agent executes write commands — only enable or grant access if you trust the agent to run those operations. Also note a minor metadata mismatch (the included _meta.json owner differs from the package owner id), which is likely benign but worth verifying the skill source if provenance matters.

Like a lobster shell, security has layers — review code before you run it.

latestvk97fq11w76jbznp3jprksbw5q1849ph9

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments