Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
fastgithub
v1.0.0Provide a local proxy server to accelerate GitHub access, improving slow clone, push, and download speeds on Linux, macOS, and Windows.
⭐ 0· 80·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (local GitHub proxy) match the scripts' behavior (starting a local proxy binary, setting http(s)_proxy). However the SKILL.md and scripts reference a packaged binary fastgithub-linux-x64.tar.gz and a publish/fastgithub executable, but that tarball/binary is not listed in the skill file manifest. Requiring an opaque native executable is plausible for a proxy, but the missing artifact is an incoherence: install will fail or the publisher may intend to download/replace the binary later.
Instruction Scope
Instructions direct running the included install/start scripts, setting shell proxy env vars, and (optionally) installing a system CA certificate into the OS trust store. Installing a root/trusted CA allows interception of TLS traffic system-wide — a legitimate requirement for some local TLS-proxy accelerators but a high-risk action. The documentation also suggests disabling git TLS verification as troubleshooting (git config --global http.sslVerify false), which is insecure and unnecessary in safe deployments.
Install Mechanism
There is no formal install spec; this is instruction-driven and runs local shell scripts which launch an opaque native binary from a tarball. The tarball referenced in docs/scripts is not included in the provided manifest, creating an inconsistency. Running an uninspected native executable (which could make network calls or exfiltrate data) is higher risk than pure script-only skills.
Credentials
The skill does not request environment variables or credentials in metadata, and only sets local http_proxy/https_proxy environment variables (expected for a proxy). However, the optional system CA installation requires sudo/administrator privileges and persists system trust — this is a broader privilege than typical non-system utilities and should be justified by a verified binary.
Persistence & Privilege
The skill itself is not forced-always and does not modify other skills, but installing a root CA (recommended in the docs) changes system-wide trust persistently and grants the proxy the ability to MITM HTTPS traffic. That level of persistent privilege is significant and should only be granted after verifying the binary's provenance and integrity.
What to consider before installing
Do not install this skill without verifying the underlying binary. Key points to consider: (1) The scripts expect a native binary tarball (fastgithub-linux-x64.tar.gz) that is not present in the manifest — ask the publisher where the binary comes from and for a signed checksum. (2) Running an opaque native executable can perform network I/O or exfiltrate secrets; prefer source code or binaries from a trusted release (e.g., official GitHub release with checksums). (3) Installing a system CA is dangerous: it allows the proxy to intercept TLS for all apps. Only add a CA if you fully trust the binary and understand the risk; avoid it on machines that hold sensitive credentials. (4) Never accept the suggested global TLS-disable workaround (git http.sslVerify false). (5) If you want to test, run the proxy in an isolated environment (VM or throwaway container) and monitor network traffic and logs, and verify the binary's checksum or build from source if possible.Like a lobster shell, security has layers — review code before you run it.
githubvk970q2wt1gpm85qxmrnykkj34183m7e7latestvk970q2wt1gpm85qxmrnykkj34183m7e7proxyvk970q2wt1gpm85qxmrnykkj34183m7e7
License
MIT-0
Free to use, modify, and redistribute. No attribution required.