Skillv1.2.0

ClawScan security

Repo Analyzer · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 25, 2026, 2:28 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill largely does what it claims (GitHub repo analysis) but contains several incoherences and risky instructions — notably it implicitly requires a GITHUB_TOKEN while declaring no env requirements, instructs reading ~/.bashrc to extract credentials, and runs shell commands (bird/gh) that would receive the agent's environment — so treat it with caution.
Guidance: This skill implements a plausible GitHub repo analyzer, but there are notable red flags you should consider before installing or running it: - Credential handling: The skill expects a GITHUB_TOKEN but the registry metadata does not declare it; SKILL.md even tells you to source ~/.bashrc or grep it out of that file. Do NOT store or extract long-lived tokens from shell rc files for third-party tools. Prefer providing a token via the --token flag or a short-lived token with minimal scopes. - Local file access: The documentation instructs reading ~/.bashrc; that is a direct local file read that could expose other secrets if you follow the provided commands. Avoid running those exact source/grep commands unless you understand what they'll reveal. - Child process execution: The code executes external CLIs (bird, gh) using child_process.execSync and forwards environment variables. If you run the skill and those CLIs are present (or replaced by malicious binaries), your environment (including tokens) could be exposed. Only run in an isolated environment or confirm the CLIs are trustworthy. - Auto-triggering on pasted tweets: The skill will attempt to fetch tweet content automatically and include it in reports. If you paste a private or sensitive URL, the skill may fetch and include that text in outputs. - Mitigations: Inspect the full analyze.js file locally, run the tool in an isolated container/VM, use a minimal-scope GitHub PAT (or a read-only token), avoid storing tokens in ~/.bashrc, and do not allow the skill to auto-run on arbitrary pasted content. If you need higher assurance, ask the author for clearer metadata (declare GITHUB_TOKEN requirement) and for an option to disable invoking external CLIs or auto-triggering on tweets.

Review Dimensions

Purpose & Capability: concernThe README/SKILL.md clearly describes a GitHub repo trust scorer and the bundled scripts implement that. However the skill declares no required environment variables while the docs state 'CRITICAL: Always run with GITHUB_TOKEN loaded' and the code uses process.env.GITHUB_TOKEN. The SKILL.md also claims 'zero external dependencies' but the runtime optionally invokes external CLIs (bird, gh) and the code expects Node.js 18+. There's a version mismatch (registry metadata 1.2.0 vs package.json 1.1.1). These mismatches (missing declared env, undeclared external CLI reliance) are disproportionate to the stated metadata and reduce coherence.
Instruction Scope: concernSKILL.md explicitly instructs sourcing ~/.bashrc and even gives a grep snippet to extract GITHUB_TOKEN from that file — that directs the agent/user to read a local shell config file containing secrets. The skill also auto-triggers on pasted X/Twitter URLs and instructs the agent to 'ALWAYS include the tweet text/context', and the code will try to read tweets via a local 'bird' CLI or public syndication endpoints. The instructions therefore request local secrets and run shell commands to fetch external content; this goes beyond simply calling the GitHub API to analyze a repo and grants broad discretion to access local files and run arbitrary CLIs.
Install Mechanism: noteThere is no install spec (instruction-only at registry level) but the package bundle contains multiple scripts and supporting files. No external downloads or archive extraction are used — code is present in the skill bundle. That keeps the install risk low, but the presence of runnable scripts means installing/executing them will run code on the host.
Credentials: concernThe skill requests no env vars in metadata but both SKILL.md and scripts expect GITHUB_TOKEN for full functionality. Moreover, the SKILL.md instructs users to source ~/.bashrc and extract the token from there. The code executes external CLIs via child_process.execSync while passing process.env, so any invoked CLI (bird, gh, etc.) would receive the agent's environment including secrets. Requiring an unrestricted PAT without guidance on minimal scopes and instructing reading ~/.bashrc is disproportionate and potentially exposes sensitive credentials.
Persistence & Privilege: okThe skill does not request always:true and does not attempt to modify other skills or system-wide agent settings. It is user-invocable and can be invoked autonomously (disable-model-invocation:false), which is normal and not by itself a red flag. Auto-trigger behavior on pasted X/Twitter URLs is a functional choice but increases privacy exposure (tweet text and extracted links will be fetched).