ClawHub

GitHub Intelligence

v1.0.0

Analyze any GitHub repository in AI-friendly format. Convert entire repos to single markdown documents, generate architecture diagrams with Mermaid, inspect...

0· 615·4 current·4 all-time
by@aiwithabidi
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
Name, description, scripts, and declared primary credential (GITHUB_TOKEN, optional) align: the skill fetches and analyzes public GitHub data and converts repos to markdown/diagrams, which legitimately requires GitHub API access.
Instruction Scope
SKILL.md and the scripts are focused on read-only static analysis of GitHub repositories. The instructions and code only fetch repository metadata and file contents and do not instruct execution of repo code or exfiltration to third-party endpoints beyond GitHub.
!
Install Mechanism
SKILL.md asserts 'Python stdlib only, no dependencies', but both included scripts import the third-party 'requests' package. There is no install specification (no pip/requirements), so runtime may fail or require the agent to install 'requests' from PyPI — an installation step that is not declared and increases risk.
Credentials
Only an optional GITHUB_TOKEN is used (declared as primaryEnv). The token usage is proportional for raising GitHub rate limits and is consistent with the skill's purpose; no other secrets or unrelated env vars are requested or accessed.
Persistence & Privilege
Skill does not request persistent/always-on presence and does not modify other skills or system-wide settings. Default autonomy is allowed (normal) and there are no elevated privilege requests.
What to consider before installing
This skill appears to do what it claims (read-only GitHub repo analysis) and only asks optionally for a GitHub token, which is reasonable. However, the README claims 'stdlib only' but the scripts import the third-party 'requests' package and there is no install specification. Before installing or invoking it: 1) ask the publisher to correct the documentation (declare 'requests' as a dependency) and provide an explicit install step (e.g., requirements.txt or pip install). 2) If you must run it, prefer providing a limited-scope personal access token (or none) and run it in a sandboxed environment so that an unexpected install (pip) or network behavior is constrained. 3) If you require stronger assurance, request a version that avoids third-party packages or includes a vetted install manifest. Overall: functionally coherent, but the mismatch around dependencies and lack of install instructions is a notable risk.

Like a lobster shell, security has layers — review code before you run it.

latestvk97crv7nxgrcq9begwd6vy0y6n81fkz3

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔍 Clawdis
Primary envGITHUB_TOKEN

Comments