by 安全扫描
OpenClaw
安全
medium confidenceThis is an instruction-only guidance skill for using the GitHub Copilot CLI that is internally consistent with its stated purpose, though it implicitly assumes the GitHub CLI (gh) and Copilot extension/auth are present while not declaring them.
评估建议
This skill is an instruction-only guide for using GitHub Copilot CLI and looks coherent, but review these points before installing/using it:
- Verify you have the GitHub CLI (gh) and the Copilot extension installed locally; the skill assumes they exist but the metadata doesn't declare them.
- Ensure gh is authenticated (gh auth login) with appropriate account access; Copilot CLI will use that auth and may transmit repository context to GitHub/Copilot services — avoid sending secrets or sensitiv...详细分析 ▾
ℹ 用途与能力
The name/description match the content: SKILL.md is a usage guide for gh copilot. However, the metadata lists no required binaries or credentials while the instructions clearly expect the GitHub CLI (gh) and the Copilot CLI extension to be available and authenticated. This is a minor mismatch (missing explicit 'requires: gh' and an explanation about gh auth).
✓ 指令范围
Instructions stay on-topic: running gh copilot explain/suggest against paths, role-based prompting, orchestration patterns, and a harmless frontmatter lint check that reads the skill's own SKILL.md. There are no instructions to read unrelated system files, access unrelated environment variables, exfiltrate data, or automatically push commits.
✓ 安装机制
No install spec and no code files — lowest-risk instruction-only skill. Nothing will be downloaded or written by an installer according to the metadata.
ℹ 凭证需求
The skill declares no required environment variables or credentials (reasonable for a guide). In practice, using gh copilot requires the gh binary and GitHub authentication (gh auth or similar) and may transmit repository context to GitHub/Copilot services; those dependencies are not declared in metadata and users should be aware of the implicit credential/use of networked Copilot services.
✓ 持久化与权限
always is false and the skill is user-invocable (normal). It does not request persistent system presence, nor does it instruct modifying other skills or global agent config.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv0.1.22026/2/8
Version 0.1.2 of github-copilot-cli - No file or documentation changes detected in this release. - Functionality, usage guidance, and documentation remain unchanged from the previous version.
● 无害
安装命令 点击复制
官方npx clawhub@latest install github-copilot-cli
镜像加速npx clawhub@latest install github-copilot-cli --registry https://cn.clawhub-mirror.com
技能文档
Frontmatter Linting (Do This First)
YAML frontmatter is strict. A single extra space can break the skill.Before committing or publishing:
# Basic sanity check (no output = good)
python - <<'PY'
import yaml,sys
with open('SKILL.md') as f:
yaml.safe_load(f.read())
print('Frontmatter OK')
PY
Rules to remember:
- No leading spaces before keys (
name,description) - Use spaces, not tabs
- Keep frontmatter minimal (only
nameanddescription)
Mental Model
Treat Copilot CLI as a team of elite specialists coordinated by you:- One Copilot instance can act as frontend engineer
- One as backend engineer
- One as tester / QA
- One as infrastructure or refactor specialist
Copilot is excellent at coding and architecture when given clear roles. You act as the CTO / conductor:
- Define goals and constraints
- Let Copilot instances propose solutions
- Observe trade‑offs and conflicts
- Escalate decisions or risks to yourself explicitly
Core Commands You Should Actually Use
1. Ask questions about a codebase
gh copilot explain "What does this service do?" --path src/
2. Generate a focused change (most common)
gh copilot suggest "Add logging when translation fallback is used" --path services/translation
- Phrase the request as a delta, not a feature
- Always point it at a specific directory
3. Debug with constraints
gh copilot suggest "Why might this function return null under load?" --path src/choreo
4. Tests first, code second
gh copilot suggest "Write failing tests for punctuation correction on voice transcription" --path tests/
Prompting Patterns That Work
✅ Good prompts (role-aware)
- "As a backend engineer, draft a minimal fix for X"
- "As a tester, add guards so Y never happens"
- "As infra, refactor this to be safer, not faster"
❌ Bad prompts
- "Implement feature X end-to-end"
- "Refactor the whole service"
- "Make this production-ready"
Multi‑Copilot Orchestration Loop (Recommended)
- Decompose (CTO)
- Propose (Copilot roles)
gh copilot suggest "As a backend engineer, propose a minimal fix for mixed-language carryover" --path src/gh copilot suggest "As a tester, write failing tests for mixed-language carryover" --path tests/
- Cross‑check (Copilot vs Copilot)
- Escalate (to you)
- Finalize (with you)
When NOT to Use Copilot CLI
Copilot CLI should not be the final authority in situations where:
- Product or organizational trade‑offs dominate over code correctness
- Cross‑repo or cross‑team coordination is required
- Security, privacy, or compliance decisions are involved
- Ambiguous state machines where correctness depends on real‑world behavior
In these cases, Copilot may still propose options, but you must explicitly review and decide.
Golden Rule
Copilot is a force multiplier, not a decision owner.Use Copilot to:
- Generate competing implementations
- Surface assumptions
- Stress‑test ideas from multiple angles
You own:
- Final intent
- Risk acceptance
- Merge decisions
Copilot accelerates thinking — it does not replace judgment.
数据来源:ClawHub ↗ · 中文优化:龙虾技能库
OpenClaw 技能定制 / 插件定制 / 私有工作流定制
免费技能或插件可能存在安全风险,如需更匹配、更安全的方案,建议联系付费定制