Back to skill
Skillv1.0.0
ClawScan security
Github Trending · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 13, 2026, 6:31 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill does what it says: it fetches and parses GitHub Trending pages using only the Python standard library, requests no credentials, and has no install step — the code and instructions are coherent with the stated purpose.
- Guidance
- This skill appears internally consistent and low-risk: it scrapes GitHub Trending pages with a small standard-library Python parser and asks for no secrets. Before installing, consider: (1) GitHub may block or throttle scraping — avoid frequent automated polling and respect Terms of Service; (2) the HTML parser is fragile and may need updates if GitHub changes markup; (3) run the script in a sandbox or with restricted network egress if you want extra safety; (4) if you prefer an API-backed approach (more stable and official), use a GitHub API-based skill (which will require credentials). If you want even lower risk, review the included script locally (it's small) before enabling autonomous invocation.
Review Dimensions
- Purpose & Capability
- okName/description match the implementation: the script fetches https://github.com/trending and parses trending repos. No unrelated services, binaries, or credentials are requested.
- Instruction Scope
- okSKILL.md only instructs running the included Python script with command-line args. The instructions and script limit actions to fetching and parsing GitHub HTML; they do not read local files, environment secrets, or send data to other endpoints.
- Install Mechanism
- okNo install spec; the skill is instruction-only plus a small Python script that uses only the standard library (urllib, html.parser). Nothing is downloaded or installed at runtime.
- Credentials
- okNo environment variables, credentials, or config paths are required. Network access is limited to GitHub's trending pages, which is expected for the stated functionality.
- Persistence & Privilege
- okThe skill does not request persistent presence (always:false) and does not modify other skills or system configuration. Autonomous invocation is allowed by default but is not coupled with elevated privileges or broad access.