← 返回 Skills 市场
113
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install repo-setup
功能描述
Fork, clone, and set up a GitHub repository for development or contribution. Handles fork creation, clone with authentication, upstream remote configuration,...
安全使用建议
Before installing or running this skill: 1) Treat the metadata mismatch as a red flag — ask the publisher to update required binaries (git, gh) and required env vars (GH_TOKEN) so you know what will be used. 2) Avoid cloning with a token embedded in the HTTPS URL; prefer gh auth login or SSH keys, and if you must use a token, use ephemeral/minimal-scoped tokens and remove them from remote URLs afterwards (git remote set-url). 3) Be cautious running dependency installs (npm, pip, mvn, gradle) from unknown repositories — these can execute arbitrary code (postinstall/build scripts). Consider running the setup in an isolated container or VM. 4) Verify existence and contents of any referenced helper scripts (scripts/setup_repo.sh, oss-pr-campaign) before executing them. 5) Limit GH_TOKEN scopes to the minimum required (fork/push), rotate tokens after use, and never paste tokens into chat or public logs. If the publisher cannot justify the missing metadata and the token-in-URL pattern is not removed or explained, treat the skill as untrusted.
功能分析
Type: OpenClaw Skill
Name: repo-setup
Version: 1.0.0
The repo-setup skill (SKILL.md) automates GitHub repository configuration but contains a significant security vulnerability regarding credential handling. It instructs the agent to perform a 'git clone' by embedding the GH_TOKEN directly into the URL, which results in the sensitive token being stored in plain text within the local .git/config file. While the workflow is consistent with the tool's stated purpose of repository setup, this practice facilitates credential exposure and is a high-risk implementation flaw.
能力评估
Purpose & Capability
The SKILL.md clearly expects git and the GitHub CLI (gh), a GH_TOKEN or gh auth login, and language-specific toolchains (pip, npm, go, cargo, mvn, gradle). The skill metadata lists no required binaries or environment variables. This mismatch is unexpected — a repo-setup helper legitimately needs git and some auth mechanism declared in metadata.
Instruction Scope
Instructions stay within the repo-setup use case, but they also tell the agent/user to: request or rely on GH_TOKEN, run broad dependency installs (npm/pip/mvn/gradle) which execute third-party code, and include a token directly in an HTTPS clone URL. Embedding a token in the clone URL can leave the token in shell history, process listings, and repository config (remote URL), increasing the risk of accidental credential exposure. The doc also references an external helper script (oss-pr-campaign / scripts/setup_repo.sh) that is not provided or installed by this skill.
Install Mechanism
This is instruction-only with no install spec or code files, which is lower risk because nothing is written automatically. However, the README references an external helper script available only when paired with another (oss-pr-campaign) — that coupling is undocumented in the metadata and could confuse users.
Credentials
The instructions require a GH_TOKEN and GitHub username, but the skill declares no required env vars or primary credential. Asking for a GH token is reasonable for pushing/forking, but the skill does not document required token scopes or warn about safer alternatives (SSH or gh auth login). Also, the broad set of build toolchains suggested increases the surface area: running install commands will execute arbitrary third-party code (npm/pip/maven lifecycle scripts).
Persistence & Privilege
The skill is not always:true, has no install hook, and does not request persistent privileges or modify other skills. Autonomous invocation is allowed (platform default) but not combined with other strong privilege requests here.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install repo-setup - 安装完成后,直接呼叫该 Skill 的名称或使用
/repo-setup触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
repo-setup 1.0.0 — Initial Release
- Automates forking, cloning, and setting up a GitHub repository for development or contribution.
- Configures upstream remotes and creates feature branches from the latest upstream default branch.
- Detects project type and installs relevant dependencies for Python, Node.js, Go, Rust, Java, and Kotlin.
- Includes detailed SOP and automation script for streamlined repo setup.
- Outputs a ready-to-develop local repository with dependencies installed and remotes configured.
元数据
常见问题
repo-setup 是什么?
Fork, clone, and set up a GitHub repository for development or contribution. Handles fork creation, clone with authentication, upstream remote configuration,... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 113 次。
如何安装 repo-setup?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install repo-setup」即可一键安装,无需额外配置。
repo-setup 是免费的吗?
是的,repo-setup 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
repo-setup 支持哪些平台?
repo-setup 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 repo-setup?
由 Bijin(@sliverp)开发并维护,当前版本 v1.0.0。
推荐 Skills