← Back to Skills Marketplace
113
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install repo-setup
Description
Fork, clone, and set up a GitHub repository for development or contribution. Handles fork creation, clone with authentication, upstream remote configuration,...
Usage Guidance
Before installing or running this skill: 1) Treat the metadata mismatch as a red flag — ask the publisher to update required binaries (git, gh) and required env vars (GH_TOKEN) so you know what will be used. 2) Avoid cloning with a token embedded in the HTTPS URL; prefer gh auth login or SSH keys, and if you must use a token, use ephemeral/minimal-scoped tokens and remove them from remote URLs afterwards (git remote set-url). 3) Be cautious running dependency installs (npm, pip, mvn, gradle) from unknown repositories — these can execute arbitrary code (postinstall/build scripts). Consider running the setup in an isolated container or VM. 4) Verify existence and contents of any referenced helper scripts (scripts/setup_repo.sh, oss-pr-campaign) before executing them. 5) Limit GH_TOKEN scopes to the minimum required (fork/push), rotate tokens after use, and never paste tokens into chat or public logs. If the publisher cannot justify the missing metadata and the token-in-URL pattern is not removed or explained, treat the skill as untrusted.
Capability Analysis
Type: OpenClaw Skill
Name: repo-setup
Version: 1.0.0
The repo-setup skill (SKILL.md) automates GitHub repository configuration but contains a significant security vulnerability regarding credential handling. It instructs the agent to perform a 'git clone' by embedding the GH_TOKEN directly into the URL, which results in the sensitive token being stored in plain text within the local .git/config file. While the workflow is consistent with the tool's stated purpose of repository setup, this practice facilitates credential exposure and is a high-risk implementation flaw.
Capability Assessment
Purpose & Capability
The SKILL.md clearly expects git and the GitHub CLI (gh), a GH_TOKEN or gh auth login, and language-specific toolchains (pip, npm, go, cargo, mvn, gradle). The skill metadata lists no required binaries or environment variables. This mismatch is unexpected — a repo-setup helper legitimately needs git and some auth mechanism declared in metadata.
Instruction Scope
Instructions stay within the repo-setup use case, but they also tell the agent/user to: request or rely on GH_TOKEN, run broad dependency installs (npm/pip/mvn/gradle) which execute third-party code, and include a token directly in an HTTPS clone URL. Embedding a token in the clone URL can leave the token in shell history, process listings, and repository config (remote URL), increasing the risk of accidental credential exposure. The doc also references an external helper script (oss-pr-campaign / scripts/setup_repo.sh) that is not provided or installed by this skill.
Install Mechanism
This is instruction-only with no install spec or code files, which is lower risk because nothing is written automatically. However, the README references an external helper script available only when paired with another (oss-pr-campaign) — that coupling is undocumented in the metadata and could confuse users.
Credentials
The instructions require a GH_TOKEN and GitHub username, but the skill declares no required env vars or primary credential. Asking for a GH token is reasonable for pushing/forking, but the skill does not document required token scopes or warn about safer alternatives (SSH or gh auth login). Also, the broad set of build toolchains suggested increases the surface area: running install commands will execute arbitrary third-party code (npm/pip/maven lifecycle scripts).
Persistence & Privilege
The skill is not always:true, has no install hook, and does not request persistent privileges or modify other skills. Autonomous invocation is allowed (platform default) but not combined with other strong privilege requests here.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install repo-setup - After installation, invoke the skill by name or use
/repo-setup - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
repo-setup 1.0.0 — Initial Release
- Automates forking, cloning, and setting up a GitHub repository for development or contribution.
- Configures upstream remotes and creates feature branches from the latest upstream default branch.
- Detects project type and installs relevant dependencies for Python, Node.js, Go, Rust, Java, and Kotlin.
- Includes detailed SOP and automation script for streamlined repo setup.
- Outputs a ready-to-develop local repository with dependencies installed and remotes configured.
Metadata
Frequently Asked Questions
What is repo-setup?
Fork, clone, and set up a GitHub repository for development or contribution. Handles fork creation, clone with authentication, upstream remote configuration,... It is an AI Agent Skill for Claude Code / OpenClaw, with 113 downloads so far.
How do I install repo-setup?
Run "/install repo-setup" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is repo-setup free?
Yes, repo-setup is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does repo-setup support?
repo-setup is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created repo-setup?
It is built and maintained by Bijin (@sliverp); the current version is v1.0.0.
More Skills