Skillv1.0.2

ClawScan security

GitHub Trending Report · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 13, 2026, 11:05 AM

Verdict: Benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill is internally consistent with its stated purpose (it instructs the agent to use a CLI to fetch GitHub trending data), but it assumes installing a third-party npm package (github-discover) and omits guidance about GitHub auth/rate limits and package provenance.
Guidance: This skill is coherent: it instructs use of the github-discover CLI to produce reports. Before installing or using it, verify the npm package: check the github-discover package page (npm view github-discover repository, homepage, and maintainers), review its source code/repository, and confirm it is from a trusted author. Be aware that global npm installs run third‑party code on your system — consider installing in a container or VM if you want isolation. Also note the SKILL.md does not mention GitHub auth or rate limits; if you plan frequent queries, set up a GITHUB_TOKEN and check the CLI docs for how to configure it. If you need higher confidence, provide the github-discover package repository or a homepage URL so provenance can be verified.

Review Dimensions

Purpose & Capability: okThe name/description match the runtime instructions: the SKILL.md tells the agent to call the github-discover CLI to produce trending, popular, and topic reports. Requiring Node.js and an npm-installed CLI is reasonable for this purpose.
Instruction Scope: noteInstructions limit the agent to checking for the CLI, running three github-discover commands, and combining their JSON outputs into a report — all within the stated purpose. The doc does not mention GitHub authentication or rate limits (e.g., GITHUB_TOKEN) which may be required for heavier use; that omission may cause failures or unexpected network behavior but is not itself incoherent.
Install Mechanism: noteThis is an instruction-only skill (no install spec in registry), but SKILL.md instructs the user to run `npm install -g github-discover`. Installing a global npm package executes code from the npm registry — a normal choice but a moderate operational risk if the package provenance is unknown. The skill itself does not perform any installs automatically.
Credentials: noteThe registry declares no required env vars or credentials, which aligns with the high-level description. However, the CLI likely calls the GitHub Search API; for larger workloads or to avoid low unauthenticated rate limits the CLI or API calls may require or benefit from a GITHUB_TOKEN. The SKILL.md does not document this or any credential-related env vars.
Persistence & Privilege: okThe skill does not request persistent presence (always:false), does not declare any config paths, and does not attempt to modify agent/system settings. It is user-invocable only, which is appropriate for a report-generating CLI wrapper.