← 返回 Skills 市场

repo runner

Name: repo runner
Author: zyl-hub

作者 En · GitHub ↗ · v1.0.2

cross-platform ⚠ suspicious

447

总下载

当前安装

版本数

在 OpenClaw 中安装

/install repo-runner

功能描述

Bootstrap and run a GitHub project by following its docs (README/docs), with safeguards for untrusted install/run steps. Use when the user gives a GitHub rep...

安全使用建议

This skill is internally consistent and behaves like a helper that inspects a repository and recommends safe commands. It does not itself exfiltrate secrets or require credentials. However, it is designed to run install/build/run commands you may approve — which can execute arbitrary code from the repository. Before approving destructive or networked operations (git pull, installs, curl | bash, docker compose, etc.), review the repo's README and the specific commands the skill proposes. Prefer running untrusted projects inside an isolated environment (container or VM), avoid auto-applying .env values (provide secrets out-of-band), and deny any installation or postinstall scripts you don't understand. If you want a higher assurance check, ask for the exact commands the skill will run and inspect them line-by-line before consenting.

功能分析

Type: OpenClaw Skill Name: repo-runner Version: 1.0.2 The 'repo-runner' skill is designed to execute untrusted code from GitHub repositories, which is an inherently high-risk operation. While the `SKILL.md` explicitly instructs the AI agent to 'ask for confirmation' before running `npm install` or 'any `curl | bash`', this still allows for Remote Code Execution (RCE) if the user is tricked into confirming a malicious script from the untrusted repository. The auxiliary scripts (`scripts/detect_project.sh`, `scripts/suggest_node_commands.sh`) are for analysis and suggestion only, not direct execution of untrusted code, and do not show malicious intent. The primary concern is the explicit instruction in `SKILL.md` to allow `curl | bash` with user confirmation, which represents a significant vulnerability, classifying it as suspicious rather than benign, but not malicious as there's no evidence of intentional self-exploitation or hidden harmful behavior by the skill itself.

能力评估

✓ Purpose & Capability

Name/description match the provided scripts and SKILL.md: the skill detects project type, suggests install/run commands, and guides safe setup. It does not request unrelated credentials or system paths.

✓ Instruction Scope

SKILL.md keeps scope to repo discovery, prerequisite checks, dependency installation (only after explicit confirmation), .env handling (only after confirmation), and running documented commands. It does not instruct reading arbitrary host files or exfiltrating data. The workflow responsibly warns about treating repo code as untrusted.

✓ Install Mechanism

There is no install spec and included shell scripts are small and local. No downloads from remote URLs or archive extraction are present. Risk from install-time actions is low from the skill itself (runtime actions depend on user consent).

✓ Credentials

The skill declares no required env vars, credentials, or config paths. Scripts check for local runtimes (node, etc.) which is appropriate to detect project types; they do not read hidden credentials or request tokens.

✓ Persistence & Privilege

always is false and there is no mechanism to persistently modify other skills or global agent settings. The skill does not request elevated or permanent privileges.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install repo-runner
安装完成后，直接呼叫该 Skill 的名称或使用 /repo-runner 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.2

- Expanded support for more languages and project types: now recognizes Go and Rust in addition to Node, Python, and Docker. - Improved detection logic: a repository can match multiple project types, choosing the canonical workflow based on documentation. - More detailed dependency installation instructions per language, including virtual environments for Python and tool-specific commands. - Docker instructions now prefer documented docker-compose paths when present. - Maintains strong safety and confirmation safeguards throughout the workflow.

v1.0.1

- Updated workspace and script path conventions to use `<openclaw-workspace>` as a variable, improving portability across environments. - Clarified not to assume a fixed workspace path; `$HOME/.openclaw/workspace` is typical, but not required. - Specified that the `detect_project.sh` script should be called from the skill directory, referencing paths relatively from `<openclaw-workspace>/skills/repo-runner`. - No changes to code or workflow logic.

v1.0.0

Initial release of repo-runner, a tool to safely bootstrap and run GitHub projects by following project documentation. - Prompts user for repo source, target (dev/build/test), and safety constraints (dependency install, scripts, Docker). - Enforces strict safeguards for untrusted code, confirming before any install or secret-handling steps. - Automates workspace setup, documentation extraction, runtime verification, and environment configuration. - Detects project type and runs the appropriate commands as intended by the project's docs. - Reports back exact commands run, local URL/port, and next steps for user clarity.

元数据

Slug repo-runner

版本 1.0.2

许可证 —

累计安装 2

当前安装数 2

历史版本数 3

常见问题

repo runner 是什么？

Bootstrap and run a GitHub project by following its docs (README/docs), with safeguards for untrusted install/run steps. Use when the user gives a GitHub rep... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件，目前累计下载 447 次。

如何安装 repo runner？

在 OpenClaw 或 Claude Code 对话框中运行命令「/install repo-runner」即可一键安装，无需额外配置。

repo runner 是免费的吗？

是的，repo runner 完全免费（开源免费），可自由下载、安装和使用。

repo runner 支持哪些平台？

repo runner 跨平台运行，可在任意部署了 OpenClaw / Claude Code 的环境中使用（cross-platform）。

谁开发了 repo runner？

由 En（@zyl-hub）开发并维护，当前版本 v1.0.2。