← Back to Skills Marketplace

github-skill-manager

Name: github-skill-manager
Author: qvshuo

by An Jing · GitHub ↗ · v1.0.3 · MIT-0

cross-platform ⚠ suspicious

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install github-skill-manager

Description

管理来自 GitHub 仓库的技能。用户要安装技能、检查技能更新、更新已安装技能、卸载技能，或提到注册技能、GitHub 技能、REGISTRY.yaml 时，优先使用此技能。

README (SKILL.md)

Skill Manager

帮助管理来自 GitHub 仓库的技能安装、检查更新、更新和卸载。

技能安装到 skills/{skill-name}/，并通过 skills/skill-manager/REGISTRY.yaml 记录来源与 commit SHA。

前置条件

所有 GitHub 操作都依赖已认证的 gh CLI。

执行前运行：

gh auth status

如果失败，提示：请先运行 gh auth login。 并停止。

输入

从来源中提取这 4 个字段：

字段	说明	示例
`owner`	仓库所有者	`openai`
`repo`	仓库名称	`skills`
`branch`	分支名，默认 `main`	`main`
`path`	仓库内技能目录路径	`skills/example-skill`

技能名称取 path 的最后一段目录名。

沟通

检查更新时，用表格输出结果：

| 技能名称      | 本地 commit SHA | 远程 commit SHA | 状态 |
|---------------|-----------------|-----------------|------|
| example-skill | abc1234         | def5678         | 需要更新 |
| web-search    | 9f8e7d6         | 9f8e7d6         | 已是最新 |

安装、更新或卸载完成后，明确告诉用户受影响的技能名称和结果。

安装

安装指定来源的技能，并写入 REGISTRY.yaml。

步骤：

解析来源，提取 owner、repo、branch、path
下载仓库归档并提取目标目录
将技能保存到 skills/{skill-name}/
在 REGISTRY.yaml 中追加条目，记录 owner、repo、branch、path、commit 和 updated

使用：

gh api "repos/{owner}/{repo}/tarball/{branch}" > archive.tar.gz
# 解压后将 {path} 复制到 skills/{skill-name}/

如果目标目录已存在，停止安装，不覆盖现有目录。

检查更新

扫描 REGISTRY.yaml，检查已注册技能的远程 commit SHA 是否发生变化。

使用：

gh api "repos/{owner}/{repo}/contents/{path}?ref={branch}" --jq '.sha'

默认检查全部已注册技能；如果用户指定技能名，只检查对应条目。

检查失败时，跳过该技能，并保持本地文件和注册表不变。

更新

更新已注册技能中有变化的条目。

步骤：

先运行更新检查
对每个需要更新的技能，重新下载并替换 skills/{skill-name}/
更新对应注册表条目的 commit 和 updated

未指定技能名时，更新全部过期技能；指定技能名时，只更新对应条目。

如果技能未注册，先告诉用户该技能不在 REGISTRY.yaml 中，不执行更新。

更新前如果发现本地有未保存的修改，先提示冲突风险。

任何下载或更新失败时，不覆盖本地文件，不修改对应注册表条目。

卸载

删除技能目录，并从 REGISTRY.yaml 中移除对应条目。

步骤：

确认技能名称
删除 skills/{skill-name}/
从 REGISTRY.yaml 中移除对应条目

如果技能目录不存在但注册表条目存在，只移除注册表条目。

注册表

位置：skills/skill-manager/REGISTRY.yaml

skills:
  - owner: openai
    repo: skills
    branch: main
    path: skills/example-skill
    commit: abc123def456
    updated: 2026-01-01

规则：

安装时追加新条目
更新时只修改目标条目的 commit 和 updated
不重新排序，不删除无关条目

行为约束

仅管理来自 GitHub 仓库的技能
默认以 branch=main 处理未显式指定分支的来源
不覆盖现有技能目录，除非当前操作就是更新该技能
不覆盖失败的下载结果或半成品目录

Usage Guidance

This skill appears to do what it says: manage skills stored in GitHub repositories using the gh CLI. Before installing or letting an agent use it, ensure: (1) you have gh installed and authenticated (run gh auth status); (2) the GitHub account/token used by gh has only the minimum required scopes you accept, because the skill will use your gh credentials to fetch repos; (3) you trust the source repository before installing a skill (installing writes files that the agent may later execute); (4) keep backups of skills/ and skills/skill-manager/REGISTRY.yaml, and review the repo contents (or a commit SHA) before installation. Note the manifest omission: the skill expects gh but does not declare it — consider adding that requirement or verifying gh is available before use.

Capability Analysis

Type: OpenClaw Skill Name: github-skill-manager Version: 1.0.3 The 'github-skill-manager' acts as a package manager for the OpenClaw agent, providing instructions in SKILL.md to download, install, and update code from arbitrary GitHub repositories using the 'gh' CLI. While the logic appears transparent and aligned with its stated purpose, the capability to fetch and execute remote code is a high-risk behavior that could be leveraged for Remote Code Execution (RCE) if the agent is directed to a malicious repository. No evidence of intentional malice, such as hardcoded malicious URLs or data exfiltration, was found in SKILL.md or _meta.json.

Capability Assessment

ℹ Purpose & Capability

The skill is explicitly a GitHub-based skill manager and its instructions use the gh CLI and GitHub tarball/contents APIs — this is appropriate for the stated purpose. Minor inconsistency: SKILL.md requires an authenticated gh CLI (gh auth status) but the skill metadata lists no required binaries or primary credential.

✓ Instruction Scope

SKILL.md limits actions to downloading/extracting repo archives, copying skill directories into skills/{skill-name}/, and updating skills/skill-manager/REGISTRY.yaml. It does not instruct reading unrelated system files or sending data to external endpoints other than GitHub, and it includes safety checks (don't overwrite existing directories, check for uncommitted changes).

✓ Install Mechanism

This is an instruction-only skill with no install spec and no archives pulled from arbitrary servers; downloads are via GitHub repository tarballs (gh api), which is an expected and lower-risk source for this purpose.

ℹ Credentials

The skill relies on gh being installed and authenticated (gh auth status). That implies use of locally-stored GitHub credentials (gh's OAuth/token). The manifest does not declare this dependency or any required env vars; while expected for GitHub operations, users should be aware the skill will use whatever gh credentials are configured on the host.

✓ Persistence & Privilege

The skill does not request always:true, does not modify other skills' configurations beyond adding/removing entries in its own REGISTRY.yaml, and its filesystem writes are scoped to skills/{skill-name}/ and skills/skill-manager/REGISTRY.yaml as described.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install github-skill-manager
After installation, invoke the skill by name or use /github-skill-manager
Provide required inputs per the skill's parameter spec and get structured output

Version History

v1.0.3

- Improved documentation: SKILL.md now provides clear step-by-step instructions for installing, updating, and uninstalling skills from GitHub repositories. - Outlines input fields, system requirements, and usage examples for managing skills via the `gh` CLI and REGISTRY.yaml tracking. - Defines precise behavior for skill installation, version checking, updates, and removal, including conflict and error handling. - Clarifies communication: results, updates, and errors are reported directly to the user with tables or targeted messages. - Enforces strict management of skills only from GitHub and reinforces safeguards against unwanted overwrites and partial installations.

Metadata

Slug github-skill-manager

Version 1.0.3

License MIT-0

All-time Installs 0

Active Installs 0

Total Versions 1

Frequently Asked Questions

What is github-skill-manager?

管理来自 GitHub 仓库的技能。用户要安装技能、检查技能更新、更新已安装技能、卸载技能，或提到注册技能、GitHub 技能、REGISTRY.yaml 时，优先使用此技能。 It is an AI Agent Skill for Claude Code / OpenClaw, with 80 downloads so far.

How do I install github-skill-manager?

Run "/install github-skill-manager" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is github-skill-manager free?

Yes, github-skill-manager is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does github-skill-manager support?

github-skill-manager is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created github-skill-manager?

It is built and maintained by An Jing (@qvshuo); the current version is v1.0.3.

More Skills