ClawHub

Alon Github Security Audit

v0.1.7

Audit GitHub repositories or local directories for malicious code, backdoors, suspicious behavior, and supply-chain risk, then write a structured report to a...

0· 125·0 current·0 all-time
byalon@alondotsh
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the included artifacts: SKILL.md describes static auditing of GitHub repos/local directories and the package includes helper scripts to clone and safely remove temporary clones. Declared binaries (git, python3) are appropriate and sufficient.
Instruction Scope
Instructions stay within audit scope (static analysis, no dependency installs, no executing target code). One minor ambiguity: SKILL.md emphasizes a default 'no network access' offline audit, but the documented workflow explicitly clones GitHub URLs (git clone), which necessarily uses network access — this is expected for remote-repo audits but should be understood by users. The skill promises not to read unrelated home directories unless the user expands scope; the code enforces safety checks for cleanup paths.
Install Mechanism
No install spec; skill is instruction-first and bundles two small helper scripts. No downloads from external URLs or archive extraction are present, minimizing install-time risk.
Credentials
The skill requires no environment variables or credentials. clone_repo.py validates GitHub URLs and supports SSH-style URLs but does not request SSH keys itself (it relies on the user's git/ssh environment), which is appropriate for the stated purpose.
Persistence & Privilege
always is false and the skill does not request persistent privileges or modify other skills/config. Cleanup.py enforces strict checks before deleting to avoid accidental removal of non-temporary paths.
Assessment
This skill appears to do what it says: it performs a static audit of a local directory or a cloned GitHub repo and includes small, well-scoped helper scripts. Before installing or running it, be aware that: (1) cloning a remote GitHub URL uses network access (expected); (2) private repositories will require your existing git/SSH credentials to succeed — the skill does not request or store new credentials; (3) the skill will not install or execute target project dependencies by default, but you may be prompted to opt into online vulnerability checks which will contact external databases only after explicit consent; (4) cleanup safely refuses to delete paths outside the temp directory pattern, but you should still run in an environment you control. If you need absolute offline guarantees, avoid supplying remote URLs and audit a local copy instead.

Like a lobster shell, security has layers — review code before you run it.

auditvk97en2v9645czts9ge98t7g2ks843ndvgithubvk97en2v9645czts9ge98t7g2ks843ndvlatestvk97enzkzv8r70hre6sy3436ce9845qp0securityvk97en2v9645czts9ge98t7g2ks843ndv

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments