ClawHub

GitHub Star Sustained Growth — Monthly 300+ Stars Playbook

Security checks across malware telemetry and agentic risk

Overview

This is a text-only GitHub star growth playbook with some aggressive outreach advice, but it does not run code, collect credentials, or automate actions by itself.

Install this only if you want an AI-assisted marketing playbook for GitHub star and open-source community growth. Treat DM automation, paid posting, KOL outreach, and repeated community posting as optional tactics that require human approval, clear disclosure where paid promotion is involved, consent-aware outreach, and compliance with LinkedIn, X/Twitter, Reddit, Hacker News, email, privacy, and anti-spam rules.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README explicitly recommends DM automation tooling such as Phantombuster for LinkedIn/Twitter outreach without any guardrails on consent, rate limits, platform terms, or account-safety. In an AI-agent skill context, this is more dangerous than a normal marketing document because an agent could operationalize the advice at scale, leading to spam, privacy misuse, platform enforcement, or reputational harm.

Missing User Warnings

Low
Confidence
90% confidence
Finding
The README recommends paid Hacker News posting, KOL DM outreach, YouTube ads, and repeated Reddit posting as growth tactics without any guidance on complying with platform rules, disclosure requirements, anti-spam norms, or reputational risk. In a skill intended for operational reuse, users may copy these tactics directly and engage in behavior that violates community policies or gets accounts, domains, or projects flagged.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger list includes broad terms such as 'open source community', 'community growth', and 'developer community growth', which can cause the skill to activate for many generic requests beyond its narrowly described purpose of GitHub star growth. Over-broad routing increases the chance this skill hijacks unrelated conversations and steers users into growth-marketing guidance they did not request, reducing reliability and creating prompt-routing risk.

Natural-Language Policy Violations

Medium
Confidence
84% confidence
Finding
The skill body is written entirely in Chinese and does not offer a language-selection mechanism or declare a locale restriction, so it may be invoked for users who expect English or another language based on the English metadata and trigger list. This can lead to user confusion, misinterpretation of operational advice, and degraded safety if users act on partially understood instructions.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal