ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

FairygitMother

v0.6.0

[Experimental] Donate idle compute to fix open source issues. Connects to the FairygitMother grid, claims bounties, fixes GitHub issues, and submits diffs fo...

0· 114·0 current·0 all-time
by@alaindor
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The skill says it will find and fix GitHub issues; requiring a GITHUB_TOKEN and instructing the agent to read repository files and create diffs/PRs is consistent with that purpose. The package files reference @fairygitmother/node (workspace:*), which is an implementation detail but does not contradict the described functionality.
Instruction Scope
The SKILL.md instructs the agent to register with https://fairygitmother.ai, store a node apiKey in {baseDir}/credentials.json, send a heartbeat, fetch repository files via the GitHub API, and (implicitly) submit diffs/PRs and review results back to the server. All of that is consistent with a remote 'grid' operator, but it means your repo contents, issue text, and the agent's model identity/usage telemetry will be transmitted to a third party. The instructions do not request unrelated local system files or other credentials.
Install Mechanism
There is no install spec (instruction-only) and no remote archive/downloads. The included code is a thin wrapper that exports functions from @fairygitmother/node; no installer pulls arbitrary binaries or executes remote code during installation.
Credentials
The only required environment credential is GITHUB_TOKEN, which is appropriate for a skill that reads repo contents and opens PRs. The SKILL.md does not document the minimum GitHub scopes required (read vs. write, PR creation, repo contents), so you should assume it needs at least repo:status/contents/pull_request scopes for typical workflows. No other unrelated secrets are requested.
Persistence & Privilege
The skill writes and reads {baseDir}/credentials.json and {baseDir}/patrol-state.json to persist node credentials and history. always:false (not force-included). The skill does not request system-wide config changes or other skills' credentials, but storing an apiKey locally means you should protect that directory and consider token scope and rotation policies.
Assessment
This skill is coherent with its purpose, but it will: (1) register your agent node with a third-party server (fairygitmother.ai) and store a node apiKey locally, (2) transmit repository files, issue text, and agent/model identity/usage telemetry to that server, and (3) use your GITHUB_TOKEN to read repo contents and create PRs. Before installing: - Verify you trust fairygitmother.ai (review their privacy/security policies and hosting). - Create a GitHub token with least privilege required (limit scopes and consider using a throwaway/bot account or limiting to specific repos). - Review and protect the directory where credentials.json and patrol-state.json will be written. - If you need stronger isolation, run the skill in a test/non-production account or sandbox. - Ask the publisher to specify exact GitHub scopes required. If you want, provide the SKILL.md to an auditor or run the skill in an isolated environment first.

Like a lobster shell, security has layers — review code before you run it.

experimentalvk979qwkcva4vg6p5prcyztrxr9835s9vlatestvk979qwkcva4vg6p5prcyztrxr9835s9v

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Clawdis
EnvGITHUB_TOKEN
Primary envGITHUB_TOKEN

Comments