Github Topics
PassAudited by ClawScan on May 1, 2026.
Overview
This skill appears to do what it claims—fetch GitHub repository rankings and README summaries—with only minor setup, credential, and untrusted-content cautions.
This skill is reasonable to install if you want GitHub topic rankings. Before using it, install dependencies from a trusted environment, avoid supplying a GitHub token unless you need higher rate limits, use a minimal-scope token if you do, and remember that repository README content is untrusted text to summarize rather than obey.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If a broad GitHub token is supplied, the local scripts will send it to GitHub for API authentication.
The skill can use a GitHub credential, although it is optional and purpose-aligned for API rate limits.
`GH_TOKEN` | GitHub Personal Access Token (optional, for higher rate limits)
Use a fine-grained or minimal-scope token only if higher rate limits are needed; do not use an over-privileged personal token.
Installation depends on whatever version of requests is resolved at install time.
The dependency is installed manually and unpinned, and there is no install spec declaring it.
pip install requests
Prefer a declared, pinned dependency or install requests from a trusted package index/environment.
The mismatch may make provenance or maintenance history less clear, but it does not show hidden execution by itself.
This package docstring describes an unrelated AI Daily/smol.ai project, suggesting stale copied metadata, though no matching behavior appears in the executable code.
AI Daily - AI资讯日报自动生成器 自动从 smol.ai 获取 AI 资讯,通过 Claude 分析分类,生成精美 HTML 页面
The publisher should remove or correct stale package metadata so the artifacts consistently describe the GitHub Topics skill.
A README could contain misleading text or prompt-like instructions that should not control the agent.
The skill retrieves repository README content from GitHub and turns it into text summaries, so untrusted repository text can enter the agent's context.
readme = self.fetch_readme(owner, repo) summary = self._extract_text_from_markdown(readme)
Treat fetched README content strictly as untrusted source material to summarize, not as instructions to follow.