ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Github Actions Gen

v3.0.0

Generate GitHub Actions workflow YAML files for CI/CD. Use when setting up automated pipelines.

0· 295·0 current·0 all-time
byBytesAgain2@ckchzh
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the included script and commands. The SKILL.md maps directly to scripts/script.sh which implements create, template, lint, list, optimize, and secrets actions aimed at GitHub Actions YAML generation and checks. The requested capabilities (none) are appropriate for the stated purpose.
Instruction Scope
Instructions ask the agent to run the local shell script with user-supplied arguments; the script only reads files given as arguments and uses $HOME to create a data directory. There is no network exfiltration or access to unrelated system credentials. Minor scope mismatch: SKILL.md/list output mentions a few types/languages (e.g., test, lint, go, release, docker) that the create/template handlers do not actually implement — this is a correctness/usability issue, not a security issue.
Install Mechanism
No install spec and no downloads; the skill is effectively instruction + one bundled script. This is low risk because nothing is fetched from the network or installed automatically.
Credentials
The skill declares no environment variables or credentials. The bundled script similarly does not read secrets or external credentials. It creates a data directory under ~/.local/share/github-actions-gen but does not write any sensitive tokens. Proportional.
Persistence & Privilege
always is false and the skill does not request privileged or persistent system changes. It creates its own data directory in the user's home, which is normal for user-level tools.
Assessment
This skill appears to do what it says: run the bundled shell script to produce or inspect GitHub Actions YAML. Before installing or executing, review scripts/script.sh yourself (it is included) to ensure you accept running a local shell script. Note the script will create ~/.local/share/github-actions-gen (benign). The script's templates and help text are simplistic and some listed types/languages are not implemented — expect limited functionality. Only run the skill if you trust the BytesAgain source; avoid running it on repositories with sensitive data unless you inspect its behavior first.

Like a lobster shell, security has layers — review code before you run it.

latestvk976d08xn05qxc3gbth6r9nv058363hkproductivityvk97fxb6697g97pm814gdpd2y5d82scxf

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments