ClawHub
Back to skill
v1.0.0

GitHub项目调研器

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 8:03 AM.

Analysis

This instruction-only skill is a coherent GitHub project research helper, with only purpose-aligned use of GitHub API and optional local CLI commands.

GuidanceThis skill appears safe for comparing public GitHub projects. Be aware it may call GitHub APIs and may optionally use your GitHub CLI login if you choose the `gh api` path after rate limiting.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityLowConfidenceHighStatusNote
SKILL.md
curl -s "https://api.github.com/search/repositories?q=关键词&sort=stars&order=desc&per_page=15"

The skill instructs the agent to use shell commands and GitHub API calls to gather repository data. This is expected for the stated purpose, but it is still external tool and network use.

User impactThe agent may run local command-line examples and send search terms or repository names to GitHub's API.
RecommendationUse it for public repository research, and review commands before running them if your environment restricts shell or network access.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceMediumStatusNote
SKILL.md
遇到 403 rate limit 时,换用 `gh api` 或等待

The optional fallback to GitHub CLI API usage may use an existing authenticated GitHub CLI session. This is purpose-aligned, but the metadata does not declare a credential requirement.

User impactIf the GitHub CLI is logged in, API requests may be made under the user's GitHub account rather than anonymously.
RecommendationPrefer anonymous curl requests for public data when possible, or confirm you are comfortable using your logged-in GitHub CLI session for rate-limit handling.