by 安全扫描
OpenClaw
可疑
medium confidenceThe skill's instructions legitimately describe using GitHub Copilot CLI and a Personal Access Token, but the published metadata omits the fact that the runtime expects a token file and an env var, and the SKILL.md directs storing the PAT in plaintext and reading it from your home directory — review before installing.
评估建议
This skill is essentially a how-to for using GitHub Copilot CLI and does require a GitHub Personal Access Token and the copilot CLI binary. Before installing/using it:
- Be aware the SKILL.md instructs you to store your PAT as plaintext at ~/.copilot/github_token.txt and uses 'cat' to load it; prefer using a secure secrets store or environment variable managed by your shell rather than an unprotected file.
- Verify the PAT scopes and use the minimum required (Copilot-only) and rotate/revoke it i...详细分析 ▾
ℹ 用途与能力
The name/description (Copilot CLI code analysis) align with the instructions: the skill is an instruction-only guide to using GitHub Copilot CLI to analyze code and generate docs. Asking for Copilot CLI and a GitHub PAT is proportionate to that purpose.
⚠ 指令范围
SKILL.md explicitly instructs the agent/user to store a GitHub Personal Access Token at ~/.copilot/github_token.txt and to run commands that read that file (cat ~/.copilot/github_token.txt) into COPILOT_GITHUB_TOKEN. That means the agent/runtime will be expected to read a secret from the user's home directory and will send project code to GitHub's Copilot API — both are in-scope for code analysis but are sensitive operations that should be made explicit in the skill metadata and consented to by the user.
ℹ 安装机制
There is no formal install spec in the registry (instruction-only). SKILL.md suggests installing via 'brew install copilot-cli' which is a standard package manager flow on macOS. This is low-risk compared to arbitrary downloads, but may not work on non-macOS platforms (the skill lists no OS restriction).
⚠ 凭证需求
The registry metadata declares no required env vars or config paths, yet the runtime instructions expect a COPILOT_GITHUB_TOKEN (sourced from ~/.copilot/github_token.txt). The token request is appropriate for Copilot usage, but the metadata/primary-credential fields should declare this. Also, SKILL.md recommends storing the PAT in plaintext under the user's home directory — a security risk if left unprotected.
✓ 持久化与权限
The skill does not request 'always: true' and does not claim to modify system-wide agent settings. It is user-invocable and does not demand permanent platform presence.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.12026/2/26
修复发布配置
● 可疑
安装命令 点击复制
官方npx clawhub@latest install copilot-cli
镜像加速npx clawhub@latest install copilot-cli --registry https://cn.clawhub-mirror.com
技能文档
功能
使用 GitHub Copilot CLI 分析代码、探索项目、生成代码和自动化开发任务。
前置条件
- 安装 Copilot CLI
brew install copilot-cli
- 设置 GitHub Personal Access Token
~/.copilot/github_token.txt使用方法
基本命令
# 进入项目目录
cd /path/to/project# 使用 Copilot CLI(使用保存的 token)
COPILOT_GITHUB_TOKEN=$(cat ~/.copilot/github_token.txt) copilot -p "你的问题"
常用探索问题
项目概览:
"这个项目是做什么的?请简要说明。"
架构分析:
"分析这个项目的架构和主要模块。"
技术栈:
"这个项目使用了哪些主要技术栈和依赖?"
代码查找:
"找到处理用户认证的代码。"
文档生成:
"为这个模块生成文档。"
代码审查:
"审查这个文件,找出潜在问题。"
高级用法
指定文件:
copilot -p "解释 @src/main.js 的功能"
交互式会话:
COPILOT_GITHUB_TOKEN=$(cat ~/.copilot/github_token.txt) copilot
自动执行(需要权限):
copilot --yolo -p "为这个功能编写单元测试"
注意事项
- Copilot CLI 使用 GitHub Copilot API 分析代码
- 代码存储位置不影响分析(可以是 GitLab、GitHub 等)
- 一次性查询使用
-p参数 - 复杂任务使用交互式会话
配置文件
- Token 存储:
~/.copilot/github_token.txt - 配置目录:
~/.copilot/ - 日志目录:
~/.copilot/logs/
故障排查
策略限制错误
如果遇到 "Access denied by policy settings":
- 检查 https://github.com/settings/copilot
- 确认 Copilot CLI 功能已启用
- 确认组织策略允许第三方 MCP 服务器
Token 过期
创建新的 Personal Access Token 并更新:
echo "新 token" > ~/.copilot/github_token.txt
示例使用
# 分析 base-auto 项目
cd /Users/agent/workspace/base-auto# 快速提问
COPILOT_GITHUB_TOKEN=$(cat ~/.copilot/github_token.txt) copilot -p "这个项目有什么核心功能?"
# 深度分析
COPILOT_GITHUB_TOKEN=$(cat ~/.copilot/github_token.txt) copilot -p "分析项目的数据库设计,列出主要的表和关系。"
资源
- 官方文档:https://docs.github.com/en/copilot
- 命令参考:https://docs.github.com/en/copilot/reference/cli-command-reference
数据来源:ClawHub ↗ · 中文优化:龙虾技能库
OpenClaw 技能定制 / 插件定制 / 私有工作流定制
免费技能或插件可能存在安全风险,如需更匹配、更安全的方案,建议联系付费定制