ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

China Mirror

v3.0.0

国内镜像源加速。生成下载/安装命令时自动添加大厂/高校背书的可信镜像参数。

0· 29·1 current·1 all-time
by文物@xiaomiba0904
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name and description match the SKILL.md: it aims to add trusted China-hosted mirror parameters to package/download commands and suggest configuring mirror env vars. The skill is instruction-only and asks for no binaries, credentials, or installs, which is coherent with the stated lightweight purpose.
!
Instruction Scope
The runtime instructions tell the agent to automatically modify any command that may trigger network downloads and to prompt/configure many environment variables and config files (~/.cargo/config.toml, daemon.json, HOMEBREW_* envs, NVM_NODEJS_ORG_MIRROR, GOPROXY, etc.). Although modifying commands/configs is within the stated goal, the guidance grants broad discretion to read and suggest edits across many tool configurations without explicitly declaring that access. There are no explicit safeguards about respecting a user's explicit source choices beyond 'skip if user specifies other source', which could lead to unintended command rewriting or config changes.
Install Mechanism
No install steps or external downloads are declared (instruction-only). This is the lowest-risk install pattern; nothing is written to disk by an installer specified in the skill bundle.
!
Credentials
The skill declares no required environment variables or credentials, yet the SKILL.md instructs checking and setting a long list of tool-specific env vars and editing user config files. That is broader environment/config access than the metadata advertises and could result in reading or writing many per-user configuration locations. The skill does not request explicit permission or declare these accesses in the manifest.
Persistence & Privilege
always:false and user-invocable: true. The skill does not request permanent presence or elevated platform privileges. It can be invoked autonomously by the agent (disable-model-invocation:false), which is normal for skills — combine with the above concerns if you plan to allow autonomous runs.
What to consider before installing
This skill is coherent: it will rewrite AI-generated download/install commands to include China-hosted mirror flags and recommend configuring many tool-specific environment variables and config files. Before installing or enabling it, consider: 1) Review generated commands before execution — don't let the agent run altered commands blindly. 2) The skill may read or suggest edits to many dotfiles (e.g., ~/.cargo/config.toml, Docker daemon.json, nvm/fnm settings, GOPROXY) even though no env access is declared; be cautious about allowing automatic edits. 3) Verify every mirror URL listed is acceptable to your security policy — mirrors speed up downloads but are still supply-chain endpoints. 4) Prefer invoking the skill manually (user-invocable) and avoid allowing autonomous runs that can modify environment/configs unattended. 5) If you need stricter guarantees, test the skill in a sandboxed account first and/or request the author add explicit manifest entries documenting the exact config paths and the exact read/write behavior.

Like a lobster shell, security has layers — review code before you run it.

latestvk973rmf9s2v3newfgrvee20jdh8406ba

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

China Mirror — 国内镜像源

核心规则

  1. 任何可能触发网络下载的命令,自动添加国内镜像参数
  2. 只使用以下镜像源,禁止使用无背书的不明镜像

示例:

  • 用户:"安装 lodash" → 生成:npm install lodash --registry=https://registry.npmmirror.com
  • 用户:"pip 安装 requests" → 生成:pip install requests -i https://pypi.tuna.tsinghua.edu.cn/simple

可信镜像源(大厂/高校背书)

命令行参数

工具参数镜像背书方
npm/pnpm/yarn/bun--registry=https://registry.npmmirror.com淘宝阿里巴巴 ✅
pip/pip3/uv/poetry-i https://pypi.tuna.tsinghua.edu.cn/simple清华清华大学 ✅
conda/mamba-c https://mirrors.tuna.tsinghua.edu.cn/anaconda清华清华大学 ✅
gem/bundle--source https://mirrors.tuna.tsinghua.edu.cn/rubygems/清华清华大学 ✅
flutter pub/dart pub--server=https://pub.flutter-io.cnFlutter CN社区 ✅
composer--repository-url=https://mirrors.aliyun.com/composer/阿里云阿里云 ✅
nuget/dotnet--source https://repo.huaweicloud.com/repository/nuget/v3/index.json华为云华为云 ✅

环境变量配置

工具环境变量
cargoCARGO_REGISTRY配置 ~/.cargo/config.toml
rustupRUSTUP_DIST_SERVERhttps://mirrors.ustc.edu.cn/rust-static
goGOPROXYhttps://goproxy.cn,direct
dockerregistry-mirrors配置 daemon.json
brewHOMEBREW_*清华镜像环境变量
pyenvPYTHON_BUILD_MIRROR_URLhttps://mirrors.tuna.tsinghua.edu.cn/python-build/
nvmNVM_NODEJS_ORG_MIRRORhttps://npmmirror.com/mirrors/node/
fnm/volta*_MIRRORhttps://npmmirror.com/mirrors/node/
rbenvRUBY_BUILD_MIRROR_URLhttps://mirrors.tuna.tsinghua.edu.cn/ruby-build/
gvmGO_BINARY_BASE_URLhttps://mirrors.ustc.edu.cn/golang/
sdkmansdkman_candidates_mirrorhttps://mirrors.tuna.tsinghua.edu.cn/sdkman/
tfenvTFENV_TERRAFORM_MIRRORhttps://mirrors.tuna.tsinghua.edu.cn/terraform/
asdfASDF_*_MIRROR参考上述各语言镜像
juliaJULIA_PKG_SERVERhttps://mirrors.ustc.edu.cn/julia/
Roptions(repos)https://mirrors.tuna.tsinghua.edu.cn/CRAN/
maven/gradle配置文件https://maven.aliyun.com/repository/public
helmhelm repo addhttps://mirror.azure.cn/kubernetes/charts/

系统包管理器

系统镜像源背书方
Ubuntu/Debianmirrors.aliyun.com阿里云 ✅
CentOS/RHELmirrors.aliyun.com阿里云 ✅
Alpinemirrors.aliyun.com/alpine/阿里云 ✅
Archmirrors.tuna.tsinghua.edu.cn/archlinux/清华 ✅

备选镜像

工具备选背书方
npmhttps://repo.huaweicloud.com/repository/npm/华为云 ✅
piphttps://mirrors.aliyun.com/pypi/simple/阿里云 ✅
piphttps://pypi.mirrors.ustc.edu.cn/simple/中科大 ✅
cargohttps://rsproxy.cn/字节跳动 ✅
gohttps://mirrors.aliyun.com/goproxy/阿里云 ✅
dockerhttps://mirror.ccs.tencentyun.com腾讯云 ✅

判断逻辑

AI 生成命令时,自动判断:

1. 是否涉及网络下载?

直接下载命令:

  • 包安装:npm install, pip install, gem install, composer require...
  • 版本安装:pyenv install, nvm install, rustup toolchain install...
  • 镜像拉取:docker pull, docker build...
  • 仓库克隆:git clone(GitHub 可提示使用代理)
  • 系统更新:apt install, brew install, apk add...

间接触发下载的命令:

  • npm run / yarn run / pnpm run — 依赖缺失时自动下载
  • npm test / npm start / npm build — 同上
  • npx <package> — 临时下载执行
  • uv run — 自动安装依赖
  • cargo build / cargo run — 首次构建下载依赖
  • go build / go run — 下载模块依赖

判断原则:

  • 如果命令可能触发网络请求,且环境未配置镜像 → 提示配置镜像
  • 如果用户已配置镜像环境变量 → 正常执行

2. 如何添加镜像?

支持命令行参数:

npm install pkg --registry=https://registry.npmmirror.com
pip install pkg -i https://pypi.tuna.tsinghua.edu.cn/simple

不支持命令行参数:

  • 提示用户配置环境变量(如 GOPROXY, NVM_NODEJS_ORG_MIRROR
  • 或在命令前临时设置:NVM_NODEJS_ORG_MIRROR=https://npmmirror.com/mirrors/node/ nvm install 20

3. 跳过情况

  • 命令中已有镜像参数 → 跳过
  • 用户明确指定其他源 → 跳过
  • 纯本地命令(无网络请求)→ 跳过

安全声明

背书方:

  • 大厂:阿里巴巴、华为云、腾讯云、字节跳动、网易、七牛云
  • 高校:清华大学、中国科学技术大学

禁止使用无背书的不明镜像源。

Files

3 total
Select a file
Select a file to preview.

Comments

Loading comments…