Github Growth Tracker
v1.4.0Track GitHub repo growth (stars, forks, issues, commits) with periodic digests and trend analysis. Compare your repos against a watchlist. Use when checking...
⭐ 0· 81·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Benign
high confidencePurpose & Capability
Name/description align with the behavior: the script calls the GitHub REST API to fetch repo metrics and stores per-repo history. However, registry metadata lists no required credential while SKILL.md and the script require a GitHub Personal Access Token (GITHUB_TOKEN) — this mismatch is a packaging/metadata omission.
Instruction Scope
SKILL.md instructs only GitHub-related actions (setup, fetch, digest, add/remove/list). It documents credentials, data directory, and scheduling. It explicitly warns that tokens saved to disk are stored plaintext and offers env var use as an alternative. The runtime instructions and provided script do not attempt to read unrelated system files or exfiltrate data to endpoints other than api.github.com.
Install Mechanism
No install specification; the skill is instruction-only plus a Python script using only the standard library (urllib). No remote downloads or package installs are performed by the skill itself.
Credentials
The only secret required is a GitHub PAT, which is appropriate for the stated purpose. The script supports GITHUB_TOKEN env var or saving a token file. The registry metadata failing to declare this required credential is inconsistent and should be corrected. The skill stores the token in a JSON file (plaintext) under the data directory but sets file mode 600; SKILL.md recommends using the env var for higher security.
Persistence & Privilege
The skill persists data and credentials to a per-skill data directory (SKILL_DATA_DIR or ~/.config/github-growth-tracker/). It does not request permanent platform-wide privileges, does not set always:true, and does not modify other skills' configuration.
Assessment
This skill appears to be what it says: a GitHub metrics tracker. Before installing, note: 1) You must provide a GitHub Personal Access Token (fine-grained, public-repo read-only recommended). The skill can read GITHUB_TOKEN from the environment or save it to <DATA_DIR>/github.json; saving to disk writes the token in JSON (the script sets file mode 600). If you prefer greater safety, set GITHUB_TOKEN as an environment variable instead of running setup --token. 2) The registry metadata does not declare the required token — treat the SKILL.md/script as the source of truth. 3) The script only contacts api.github.com; if you want extra assurance, review the included scripts/github_tracker.py yourself or run the skill in a sandboxed agent first. 4) Use a least-privilege token (fine-grained, read-only for public repos) and consider setting SKILL_DATA_DIR to a directory you control. If any of these points are unacceptable, do not install or run the skill until the maintainer fixes the metadata and you have verified the code.Like a lobster shell, security has layers — review code before you run it.
latestvk978s0h66gm5a5dqv5sn45p975847rps
License
MIT-0
Free to use, modify, and redistribute. No attribution required.