bulk-github-star
Flagged{"isSafe":false,"isSuspicious":true,"riskLevel":"high","findings":[{"category":"shell_command","severity":"high","description":"Node.js code uses execSync to run gh API calls built by string interpolation from user-controlled inputs (username, owner, name). This can lead to command injection if inputs contain shell metacharacters. The commands are constructed via template literals and passed to the shell, e.g. execSync(`gh repo list ${username} ...`) and execSync(`gh api -X PUT /user/starred/${owner}/${name}`, ...).","evidence":"async function starAllUserRepos(username) {\n const { execSync } = require('child_process');\n // Get all repos for user\n const output = execSync(`gh repo list ${username} --limit 100 --json nameWithOwner`, { encoding: 'utf8' });\n const repos = JSON.parse(output);\n for (const repo of repos) {\n const [owner, name] = repo.nameWithOwner.split('/');\n try {\n execSync(`gh api -X PUT /user/starred/${owner}/${name}`, { stdio: 'inherit' });\n console.log(`✓ Starred: ${repo.nameWithOwner}`);\n } catch (err) {\n console.error(`✗ Failed to star ${repo.nameWithOwner}:`, err.message);\n }\n }\n}"},{"category":"shell_command","severity":"medium","description":"Bash portion uses unquoted variable expansions in a for loop (for repo in $repos; do ...). If the computed repo list contains whitespace or special characters, it can lead to word-splitting or injection-like issues. Safer to quote expansions and/or read lines robustly (e.g., while IFS= read -r repo; do ... done).","evidence":"repos=$(gh repo list $USER --limit 100 | grep \"^$USER/\" | cut -f1)\n\nfor repo in $repos; do\n echo \"Starring: $repo\"\n gh api -X PUT /user/starred/$repo\ndone"}],"summary":"The skill largely automates GitHub starring via gh CLI, which is not inherently dangerous. However, there is a notable security risk: the Node.js snippet builds shell commands by interpolating user-provided input into strings and then executes them (execSync). This pattern enables command injection if inputs are not strictly trusted. The Bash portion also uses an unquoted variable in a loop, which is safer to avoid but could lead to unexpected behavior with unusual repo names. Recommend avoiding shell command construction with untrusted input: prefer using a proper HTTP client or the gh CLI with controlled arguments (no string interpolation that includes user input), or use execFile/spawn with argument arrays, and sanitize/validate inputs. Also consider quoting variables in Bash to prevent word-splitting. Overall risk is high due to potential command injection in the Node.js code."}
npx machina-cli add skill besoeasy/open-skills/bulk-github-star --openclawBulk GitHub Repository Starring
Automate starring all public repositories from any GitHub user with a single command.
When to use
- User asks to star all repos from a specific GitHub user
- Bulk appreciation for open source contributors
- Discovering and saving all projects from a creator
- Automation workflows for GitHub engagement
Required tools / APIs
- GitHub CLI (
gh) with authentication - No external API keys required (uses GitHub CLI token)
Install GitHub CLI:
# Ubuntu/Debian
sudo apt-get install -y gh
# macOS
brew install gh
# Alpine (Docker)
apk add github-cli
# Login required
gh auth login
Skills
star_all_user_repos
Star all public repositories from a GitHub user.
# Star all repos from a user
USER="besoeasy"
repos=$(gh repo list $USER --limit 100 | grep "^$USER/" | cut -f1)
for repo in $repos; do
echo "Starring: $repo"
gh api -X PUT /user/starred/$repo
done
echo "Starred $(echo "$repos" | wc -l) repositories"
Node.js:
async function starAllUserRepos(username) {
const { execSync } = require('child_process');
// Get all repos for user
const output = execSync(`gh repo list ${username} --limit 100 --json nameWithOwner`, { encoding: 'utf8' });
const repos = JSON.parse(output);
let starred = 0;
for (const repo of repos) {
const [owner, name] = repo.nameWithOwner.split('/');
try {
execSync(`gh api -X PUT /user/starred/${owner}/${name}`, { stdio: 'inherit' });
console.log(`✓ Starred: ${repo.nameWithOwner}`);
starred++;
} catch (err) {
console.error(`✗ Failed to star ${repo.nameWithOwner}:`, err.message);
}
}
console.log(`\nCompleted: ${starred}/${repos.length} repositories starred`);
return starred;
}
// Usage
// starAllUserRepos('besoeasy');
star_with_filter
Star repos matching specific criteria (e.g., stars threshold, topic).
# Star only repos with >100 stars
USER="besoeasy"
MIN_STARS=100
gh repo list $USER --limit 100 --json nameWithOwner,stargazerCount | \
jq -r ".[] | select(.stargazerCount >= $MIN_STARS) | .nameWithOwner" | \
while read repo; do
echo "Starring: $repo ($(gh api /repos/$repo | jq -r '.stargazers_count') stars)"
gh api -X PUT /user/starred/$repo
done
Rate limits / Best practices
- GitHub API: 5000 requests/hour for authenticated users
- Add delays between requests:
sleep 0.5to avoid rate limits - Respect GitHub ToS - don't use for spam or manipulation
- Consider starring selectively rather than bulk for better curation
Agent prompt
You can bulk star GitHub repositories. When a user asks to star all repos from a GitHub user:
1. Verify GitHub CLI is authenticated: gh auth status
2. Get the list: gh repo list <username> --limit 100
3. Star each using: gh api -X PUT /user/starred/<owner>/<repo>
4. Report count of starred repositories
Always confirm the exact username before executing.
Never star private repos (not accessible via public API anyway).
Troubleshooting
Error: "gh: command not found"
- Install GitHub CLI first using package manager
Error: "not logged in"
- Run
gh auth loginand follow browser authentication
Error: "API rate limit exceeded"
- Wait 1 hour for rate limit reset
- Use
sleep 1between requests to slow down
Error: "Not Found"
- Verify the username is correct
- Check if user exists:
gh user view <username>
See also
- random-contributor — find contributors to appreciate
- file-tracker — track file changes in starred repos
Source
git clone https://github.com/besoeasy/open-skills/blob/main/skills/bulk-github-star/SKILL.mdView on GitHub Overview
Automates starring all public repositories from a given GitHub user using the GitHub CLI. This helps you rapidly support open source creators, bulk-discover useful projects, and automate GitHub engagement.
How This Skill Works
It fetches a list of repositories for the target user with gh repo list, then iterates over the results to call gh api -X PUT /user/starred/<owner>/<repo> for each. A bash loop and a Node.js example demonstrate how to perform the operation programmatically.
When to Use It
- Someone asks you to star all repos from a specific GitHub user
- Bulk appreciation for open source contributors
- Discovering and saving all projects from a creator
- Automating GitHub engagement in workflows
- Onboarding or portfolio curation of a creator's work
Quick Start
- Step 1: Ensure GitHub CLI is installed and authenticated (gh auth login)
- Step 2: Run a script or command to list and star repositories for the target user (e.g., using gh repo list and gh api)
- Step 3: Review the starred count and add delays to respect rate limits
Best Practices
- Verify the target username before running (Always confirm the exact username)
- Ensure GitHub CLI (gh) is authenticated with gh auth status
- Star only public repositories to respect repository visibility
- Add delays between requests (e.g., sleep) to avoid rate limits
- Consider selective starring using filters to avoid clutter
Example Use Cases
- Star all public repositories from besoeasy to support their OSS work
- Bulk-star repos from a rising OSS creator after featuring them in a guide
- Discover and save all projects from a creator when curating a portfolio
- Automate engagement during a GitHub campaign by starring a creator's public repos
- Curate a list of a developer's projects for a showcase page
