← Back to Skills Marketplace
djswiss

Git Federation Searcher

by DJ_Swiss · GitHub ↗ · v1.0.0
cross-platform ⚠ suspicious
579
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install git-federation-searcher
Description
Search across multiple self-hosted Git instances including Gitea, Forgejo, GitLab, and Codeberg. Aggregates search results from Codeberg.org, Gitea.com, Open...
README (SKILL.md)

Git Federation Searcher

Search across multiple self-hosted Git instances in parallel.

Overview

This tool searches across various Git hosting platforms (not just GitHub/GitLab) including:

  • Codeberg
  • Gitea.com
  • NotABug
  • Gitdab
  • Self-hosted instances

Features

  • Multi-Instance Search: Search 5+ instances at once
  • Auto-Discovery: Detects if instances are reachable
  • Add Custom Instances: Add your own Gitea/GitLab instances
  • Fallback to Web: Uses SearXNG if API search fails
  • Type Detection: Auto-detects Gitea vs GitLab vs Forgejo
  • Results by Stars: Sorted by popularity

Default Instances

Instance Type URL
Codeberg Gitea https://codeberg.org
Gitea.com Gitea https://gitea.com
OpenDev Gitea https://opendev.org
NotABug Gogs https://notabug.org
Gitdab Forgejo https://gitdab.com

Usage

Command Line

# Search all instances
python3 git_federation_searcher.py "whisper"

# List configured instances
python3 git_federation_searcher.py --list

# Add custom instance
python3 git_federation_searcher.py --add MyGitea https://git.example.com gitea

# Remove instance
python3 git_federation_searcher.py --remove MyGitea

Telegram Bot

/gitsearch whisper              # Search all instances
/gitinstances                   # List all configured
/gitadd Name URL Type           # Add custom instance

Supported Git Types

Type API Notes
Gitea ✅ Full Best support
Forgejo ✅ Full Gitea fork, same API
GitLab ✅ Full Uses v4 API
Gogs ✅ Partial Basic search only

Requirements

  • Python 3.7+
  • curl (for API calls)
  • (Optional) SearXNG for web fallback
Usage Guidance
This skill appears to implement the advertised functionality, but review and mitigation steps are recommended before installing: - Inspect the full _web_search implementation (the provided snippet is truncated). Confirm whether it invokes shell commands or external endpoints and whether it uses environment variables — this affects injection risk. - Note that API tokens you add are stored in plaintext in instances.json under a hard-coded SKILL_DIR (/root/.openclaw/workspace/skills/git-federation-searcher). If you will add private instances, use least-privilege/read-only tokens and ensure file permissions are restrictive, or modify the code to store secrets safely. - Ensure curl is available on the host or adapt the code to use Python's HTTP libraries; the registry/metadata does not declare curl as a requirement even though the code calls it via subprocess. - Because the skill runs subprocesses to perform network calls, run it in a sandboxed environment (or non-privileged account) if you are unsure about trusting its source. - If you need higher assurance, ask the publisher to: (1) remove hard-coded absolute paths or make them configurable, (2) document any environment variables used (e.g., SearXNG URL), and (3) avoid shell invocation in favor of requests/urllib to reduce command injection risk. If you can retrieve and review the full git_federation_searcher._web_search function and confirm there are no shell/unsanitized string executions there, it would raise confidence. Without that, treat the skill as suspicious and proceed with caution.
Capability Analysis
Type: OpenClaw Skill Name: git-federation-searcher Version: 1.0.0 The skill is classified as suspicious due to a critical shell injection vulnerability found in `git_federation_searcher.py`. The `_web_search` function uses `subprocess.run(cmd, shell=True)` where `cmd` is constructed using an f-string that includes user-controlled input (`query`), allowing for arbitrary command execution. Additionally, the skill stores user-provided API tokens in plain text within `instances.json`, posing a data security risk. There is no evidence of intentional malicious behavior like data exfiltration or backdoor installation, classifying these issues as vulnerabilities rather than malice.
Capability Assessment
Purpose & Capability
The code and SKILL.md align with the stated purpose (search multiple self-hosted Git instances, add private instances, fallback to web search). However there is a mismatch between metadata and implementation: SKILL.md and the Python code rely on curl/subprocess for API calls, but the registry metadata lists no required binaries. Also meta.json declares 'exec' and 'web_search' permissions which correspond to the use of subprocess/curl and network access — that's expected but not fully documented in the registry fields.
Instruction Scope
Runtime instructions stay within the declared purpose (API calls to Git hosts, optional web fallback). The skill reads/writes an instances.json config and search_cache.json in a hard-coded SKILL_DIR and will accept and store API tokens for private instances. That storage and the network scanning behaviour are within the tool's remit but deserve attention because they broaden what the skill touches (local file system and arbitrary network hosts).
Install Mechanism
There is no install spec and requirements.txt lists no external packages; the code uses only the standard library and subprocess/curl. No external archive downloads or installers are used. The absence of a declared curl dependency in the registry is an oversight but not an installer risk.
Credentials
The skill requests no environment variables or credentials in metadata, but it stores API tokens provided by the user in plaintext inside instances.json under a hard-coded SKILL_DIR (an absolute path under /root/.openclaw/...). Storing tokens unencrypted on disk is a sensitive operation and the absolute path may be unexpected. The SKILL.md mentions optional SearXNG for fallback but there is no declared env var for configuring its URL; the code snippet shown for the web fallback is truncated and appears to reference an endpoint (127.0.0.1) — this gap reduces confidence that external endpoints and env accesses are fully documented.
Persistence & Privilege
always:false (good). The skill writes persistent config files into a hard-coded workspace path and will persist API tokens and instance data; that is normal for a configuration-capable skill but the absolute /root path and lack of explanation about file permissions increases risk if the skill runs in a multi-tenant environment. The skill does not request to modify other skills or system-wide configs.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install git-federation-searcher
  3. After installation, invoke the skill by name or use /git-federation-searcher
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release of git-federation-searcher. - Search across multiple self-hosted Git instances (Gitea, Forgejo, GitLab, Codeberg, NotABug, Gitdab) - Aggregate results across 5+ public Git forges; sort by popularity (stars) - Add custom/self-hosted instances with API token support - Automatic detection of instance type and reachability - Fallback to SearXNG web search if API fails - Command line and Telegram bot interfaces included
Metadata
Slug git-federation-searcher
Version 1.0.0
License
All-time Installs 0
Active Installs 0
Total Versions 1
Frequently Asked Questions

What is Git Federation Searcher?

Search across multiple self-hosted Git instances including Gitea, Forgejo, GitLab, and Codeberg. Aggregates search results from Codeberg.org, Gitea.com, Open... It is an AI Agent Skill for Claude Code / OpenClaw, with 579 downloads so far.

How do I install Git Federation Searcher?

Run "/install git-federation-searcher" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Git Federation Searcher free?

Yes, Git Federation Searcher is completely free (open-source). You can download, install and use it at no cost.

Which platforms does Git Federation Searcher support?

Git Federation Searcher is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Git Federation Searcher?

It is built and maintained by DJ_Swiss (@djswiss); the current version is v1.0.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments