Back to skill
Skillv1.0.0
ClawScan security
Github Trending · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 13, 2026, 6:51 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill scrapes GitHub's public /trending pages using only Python's standard library; its code, declared dependencies, and instructions are coherent with the stated purpose and request no secrets or unusual privileges.
- Guidance
- This appears coherent and low-risk: the script only makes HTTP requests to github.com/trending and parses the returned HTML using Python stdlib. Before trusting or running code from an unknown source, you may want to: (1) quickly review the script (it is short) to confirm there are no hidden network calls or data exfiltration (the provided code shows none), (2) run it in a controlled environment if you are concerned, and (3) be aware that HTML scraping is brittle (GitHub may change page structure) and frequent automated requests can be rate-limited or blocked and may have Terms-of-Service implications. No secrets or system files are accessed by this skill.
Review Dimensions
- Purpose & Capability
- okName/description claim: fetch GitHub trending by period/language without API key. The included script and SKILL.md implement exactly that (urllib + html.parser). No unrelated credentials, binaries, or installation steps are requested.
- Instruction Scope
- okRuntime instructions and the script only perform an HTTP GET to github.com/trending and parse the HTML. There are no steps that read local files, environment secrets, or send data to other endpoints. The scope is narrowly limited to fetching and parsing GitHub trending pages.
- Install Mechanism
- okNo install spec; the skill is instruction-only plus a single Python script that uses only the standard library. Nothing is downloaded or written during install.
- Credentials
- okNo environment variables, credentials, or config paths are requested. The skill's network access (outbound HTTP to github.com) is proportional to its purpose.
- Persistence & Privilege
- okDoes not request always:true or any elevated/persistent presence. It is user-invocable and follows normal autonomous-invocation defaults.