ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

GitHub Action Generator

v1.0.1

Generate GitHub Actions workflows from plain English. Use when setting up CI.

0· 1.3k·5 current·5 all-time
by@branexp
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The stated purpose — generating GitHub Actions workflows — matches the code and CLI behavior. The code (src/index.ts / dist/index.js) calls OpenAI to produce YAML and the CLI writes or prints workflow files, which is coherent with the description.
Instruction Scope
SKILL.md and the CLI usage are narrowly scoped to generating workflow YAML and optionally writing to .github/workflows/. The instructions do not instruct reading unrelated files or exfiltrating local data. Note: SKILL.md explicitly states 'Needs OPENAI_API_KEY' and the code reads process.env.OPENAI_API_KEY, so runtime requires that secret.
Install Mechanism
There is no install spec in the registry (instruction-only behavior), and the package is a normal Node CLI (package.json, dist/*). The skill does not download code from arbitrary URLs at install time. Running via npx will fetch the npm package (normal behaviour) — no high-risk remote install pattern was found in the files provided.
!
Credentials
The skill requires an OpenAI API key at runtime: src/index.ts and dist/index.js instantiate OpenAI with process.env.OPENAI_API_KEY. However the registry metadata lists no required environment variables or primary credential — an explicit mismatch. Requesting an API key is proportionate to using OpenAI, but the missing declaration is an incoherence that could confuse users about what secrets they'll need to supply.
Persistence & Privilege
The skill does not request persistent/automatic inclusion (always:false). It can write files into the repository when invoked with --install, which is expected for a workflow generator and is user-initiated; no evidence it modifies other skills or system-wide agent settings.
What to consider before installing
This tool legitimately uses the OpenAI API to generate workflow YAML, but the registry record failed to declare that requirement. Before installing or running: (1) be aware you must provide OPENAI_API_KEY — the CLI will call OpenAI with that key; use a key with minimal privileges or billing limits if possible. (2) Review the included source (src/index.ts, dist/index.js) — it shows calls to OpenAI and writes files only where requested (--install). (3) Verify the package identity (check the upstream GitHub repo URL in package.json) and npm package integrity before running npx. (4) When using --install, inspect the generated workflow YAML for secret usage, unintended credential insertion, or deployment steps that could push images or credentials. If you want to avoid exposing a production key, run it locally with a throwaway/limited key or review the code and simulate the request flow first.

Like a lobster shell, security has layers — review code before you run it.

latestvk97694er82q3p582r3nc70x665810768

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments