China Mirror
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This instruction-only skill openly rewrites download and install commands to use Chinese package mirrors; no hidden code or credential use is shown, but users should review package-source changes.
Install only if you want the agent to prefer the listed Chinese mirrors for downloads and package installs. For production, regulated, or highly reproducible environments, review each generated command and consider using official sources with pinned versions and integrity checks.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Packages and dependencies may be fetched through mirrors instead of official upstream sources; mirrors may observe requested package names and could differ in freshness or availability.
The skill intentionally redirects package downloads from default upstream registries to third-party mirror registries. This is central to the stated purpose, but it changes software supply-chain provenance.
任何可能触发网络下载的命令,自动添加国内镜像参数 ... npm install pkg --registry=https://registry.npmmirror.com ... pip install pkg -i https://pypi.tuna.tsinghua.edu.cn/simple
Review generated install commands before running them, and use official registries, pinned versions, hashes, or signatures for sensitive or production builds.
A command the user expected to run with default package sources may be modified or accompanied by mirror-configuration guidance.
The instruction scope includes commands that are not explicit package installs but may download dependencies. That can cause generated commands or setup prompts to change broader developer workflows.
间接触发下载的命令:`npm run` / `yarn run` / `pnpm run` ... `cargo build` / `cargo run` ... `go build` / `go run` ... 如果命令可能触发网络请求,且环境未配置镜像 → 提示配置镜像
If a task requires official upstream sources or exact reproducibility, explicitly tell the agent not to add mirror parameters for that command.
Persistent mirror settings can affect future package installs, Docker pulls, or builds even after the immediate task is complete.
Some mirror use is documented as environment-variable or config-file setup rather than one-off command flags, which may persist beyond a single command.
不支持命令行参数:提示用户配置环境变量(如 `GOPROXY`, `NVM_NODEJS_ORG_MIRROR`) ... `CARGO_REGISTRY` | 配置 `~/.cargo/config.toml` ... `docker` | `registry-mirrors` | 配置 `daemon.json`
Prefer temporary per-command settings when possible, and document or revert persistent package-manager configuration if it is only needed temporarily.