ClawHub

Repo Analysis

v0.4.0

Read, explain, and evaluate a software repository or GitHub project in an engineering-oriented way. Use when the user asks to read a repo, understand a codeb...

0· 87·0 current·0 all-time
byJY@9penny
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name, description, and SKILL.md are consistent: the skill's goal is to read and evaluate repositories. It does not request unrelated binaries, environment variables, or config paths. The included reference docs further support the described behavior.
Instruction Scope
SKILL.md describes a constrained, evidence-first workflow (scan repo shape, read high-signal files, trace flows). It does not instruct the agent to read unrelated system files, fetch unrelated credentials, or exfiltrate data. The optional GitHub health layer is explicitly conditional and lightweight.
Install Mechanism
No install spec and no code files are present. This instruction-only design means nothing is written to disk by the skill itself.
Credentials
The skill requires no environment variables, credentials, or config paths. There are no requests for tokens or secrets that would be disproportionate to the stated purpose.
Persistence & Privilege
always is false and the skill does not request persistent system changes. disable-model-invocation is false (normal), meaning the agent may invoke the skill autonomously but this is expected for skills and not combined with other privilege escalations.
Scan Findings in Context
[no_code_files_scanned] expected: The static scanner had no code files to analyze because this is an instruction-only skill (SKILL.md + reference docs). That is expected for a documentation/template-style skill. Absence of findings is not a guarantee of safety but is consistent with the package contents.
Assessment
This skill is instruction-only and internally consistent with its stated purpose, so it poses low direct risk. Before installing or running it, consider: (1) The agent executing the skill may have platform-level abilities (network access, running local tools). If you plan to analyze a private repo, ensure the agent has appropriate access and avoid supplying secrets or credentials to the skill. (2) The SKILL.md explicitly avoids running repository scripts, which reduces risk — nevertheless, if you instruct the agent to execute repo build/test commands, be cautious. (3) If you want to limit external metadata collection, ask the agent not to run the optional GitHub health layer. If you need higher assurance, run the skill against a non-sensitive public repo first to observe behavior.

Like a lobster shell, security has layers — review code before you run it.

latestvk97b9axd21nwczrgrgqg0hf5ys83jr5a

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments