← 返回 Skills 市场

Git Federation Searcher

Name: Git Federation Searcher
Author: djswiss

作者 DJ_Swiss · GitHub ↗ · v1.0.0

cross-platform ⚠ suspicious

579

总下载

当前安装

版本数

在 OpenClaw 中安装

/install git-federation-searcher

功能描述

Search across multiple self-hosted Git instances including Gitea, Forgejo, GitLab, and Codeberg. Aggregates search results from Codeberg.org, Gitea.com, Open...

使用说明 (SKILL.md)

Git Federation Searcher

Search across multiple self-hosted Git instances in parallel.

Overview

This tool searches across various Git hosting platforms (not just GitHub/GitLab) including:

Codeberg
Gitea.com
NotABug
Gitdab
Self-hosted instances

Features

Multi-Instance Search: Search 5+ instances at once
Auto-Discovery: Detects if instances are reachable
Add Custom Instances: Add your own Gitea/GitLab instances
Fallback to Web: Uses SearXNG if API search fails
Type Detection: Auto-detects Gitea vs GitLab vs Forgejo
Results by Stars: Sorted by popularity

Default Instances

Instance	Type	URL
Codeberg	Gitea	https://codeberg.org
Gitea.com	Gitea	https://gitea.com
OpenDev	Gitea	https://opendev.org
NotABug	Gogs	https://notabug.org
Gitdab	Forgejo	https://gitdab.com

Usage

Command Line

# Search all instances
python3 git_federation_searcher.py "whisper"

# List configured instances
python3 git_federation_searcher.py --list

# Add custom instance
python3 git_federation_searcher.py --add MyGitea https://git.example.com gitea

# Remove instance
python3 git_federation_searcher.py --remove MyGitea

Telegram Bot

/gitsearch whisper              # Search all instances
/gitinstances                   # List all configured
/gitadd Name URL Type           # Add custom instance

Supported Git Types

Type	API	Notes
Gitea	✅ Full	Best support
Forgejo	✅ Full	Gitea fork, same API
GitLab	✅ Full	Uses v4 API
Gogs	✅ Partial	Basic search only

Requirements

Python 3.7+
curl (for API calls)
(Optional) SearXNG for web fallback

安全使用建议

This skill appears to implement the advertised functionality, but review and mitigation steps are recommended before installing: - Inspect the full _web_search implementation (the provided snippet is truncated). Confirm whether it invokes shell commands or external endpoints and whether it uses environment variables — this affects injection risk. - Note that API tokens you add are stored in plaintext in instances.json under a hard-coded SKILL_DIR (/root/.openclaw/workspace/skills/git-federation-searcher). If you will add private instances, use least-privilege/read-only tokens and ensure file permissions are restrictive, or modify the code to store secrets safely. - Ensure curl is available on the host or adapt the code to use Python's HTTP libraries; the registry/metadata does not declare curl as a requirement even though the code calls it via subprocess. - Because the skill runs subprocesses to perform network calls, run it in a sandboxed environment (or non-privileged account) if you are unsure about trusting its source. - If you need higher assurance, ask the publisher to: (1) remove hard-coded absolute paths or make them configurable, (2) document any environment variables used (e.g., SearXNG URL), and (3) avoid shell invocation in favor of requests/urllib to reduce command injection risk. If you can retrieve and review the full git_federation_searcher._web_search function and confirm there are no shell/unsanitized string executions there, it would raise confidence. Without that, treat the skill as suspicious and proceed with caution.

功能分析

Type: OpenClaw Skill Name: git-federation-searcher Version: 1.0.0 The skill is classified as suspicious due to a critical shell injection vulnerability found in `git_federation_searcher.py`. The `_web_search` function uses `subprocess.run(cmd, shell=True)` where `cmd` is constructed using an f-string that includes user-controlled input (`query`), allowing for arbitrary command execution. Additionally, the skill stores user-provided API tokens in plain text within `instances.json`, posing a data security risk. There is no evidence of intentional malicious behavior like data exfiltration or backdoor installation, classifying these issues as vulnerabilities rather than malice.

能力评估

ℹ Purpose & Capability

The code and SKILL.md align with the stated purpose (search multiple self-hosted Git instances, add private instances, fallback to web search). However there is a mismatch between metadata and implementation: SKILL.md and the Python code rely on curl/subprocess for API calls, but the registry metadata lists no required binaries. Also meta.json declares 'exec' and 'web_search' permissions which correspond to the use of subprocess/curl and network access — that's expected but not fully documented in the registry fields.

ℹ Instruction Scope

Runtime instructions stay within the declared purpose (API calls to Git hosts, optional web fallback). The skill reads/writes an instances.json config and search_cache.json in a hard-coded SKILL_DIR and will accept and store API tokens for private instances. That storage and the network scanning behaviour are within the tool's remit but deserve attention because they broaden what the skill touches (local file system and arbitrary network hosts).

✓ Install Mechanism

There is no install spec and requirements.txt lists no external packages; the code uses only the standard library and subprocess/curl. No external archive downloads or installers are used. The absence of a declared curl dependency in the registry is an oversight but not an installer risk.

⚠ Credentials

The skill requests no environment variables or credentials in metadata, but it stores API tokens provided by the user in plaintext inside instances.json under a hard-coded SKILL_DIR (an absolute path under /root/.openclaw/...). Storing tokens unencrypted on disk is a sensitive operation and the absolute path may be unexpected. The SKILL.md mentions optional SearXNG for fallback but there is no declared env var for configuring its URL; the code snippet shown for the web fallback is truncated and appears to reference an endpoint (127.0.0.1) — this gap reduces confidence that external endpoints and env accesses are fully documented.

⚠ Persistence & Privilege

always:false (good). The skill writes persistent config files into a hard-coded workspace path and will persist API tokens and instance data; that is normal for a configuration-capable skill but the absolute /root path and lack of explanation about file permissions increases risk if the skill runs in a multi-tenant environment. The skill does not request to modify other skills or system-wide configs.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install git-federation-searcher
安装完成后，直接呼叫该 Skill 的名称或使用 /git-federation-searcher 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.0

Initial release of git-federation-searcher. - Search across multiple self-hosted Git instances (Gitea, Forgejo, GitLab, Codeberg, NotABug, Gitdab) - Aggregate results across 5+ public Git forges; sort by popularity (stars) - Add custom/self-hosted instances with API token support - Automatic detection of instance type and reachability - Fallback to SearXNG web search if API fails - Command line and Telegram bot interfaces included

元数据

Slug git-federation-searcher

版本 1.0.0

许可证 —

累计安装 0

当前安装数 0

历史版本数 1

常见问题