Github Topics
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: github-topics Version: 0.1.0 The OpenClaw skill 'github-topics' is designed to fetch GitHub trending repositories and README summaries. All network requests in `src/github_fetcher.py` and `src/readme_fetcher.py` are directed to official GitHub API endpoints (`api.github.com` and `raw.githubusercontent.com`). The `GH_TOKEN` environment variable, if provided, is used legitimately for authentication with GitHub to increase API rate limits, as documented in `SKILL.md` and implemented in `src/config.py`. There is no evidence of data exfiltration to unauthorized third parties, malicious command execution, persistence mechanisms, or prompt injection attempts designed to subvert the agent's intended behavior.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If a broad GitHub token is supplied, the local scripts will send it to GitHub for API authentication.
The skill can use a GitHub credential, although it is optional and purpose-aligned for API rate limits.
`GH_TOKEN` | GitHub Personal Access Token (optional, for higher rate limits)
Use a fine-grained or minimal-scope token only if higher rate limits are needed; do not use an over-privileged personal token.
Installation depends on whatever version of requests is resolved at install time.
The dependency is installed manually and unpinned, and there is no install spec declaring it.
pip install requests
Prefer a declared, pinned dependency or install requests from a trusted package index/environment.
The mismatch may make provenance or maintenance history less clear, but it does not show hidden execution by itself.
This package docstring describes an unrelated AI Daily/smol.ai project, suggesting stale copied metadata, though no matching behavior appears in the executable code.
AI Daily - AI资讯日报自动生成器 自动从 smol.ai 获取 AI 资讯,通过 Claude 分析分类,生成精美 HTML 页面
The publisher should remove or correct stale package metadata so the artifacts consistently describe the GitHub Topics skill.
A README could contain misleading text or prompt-like instructions that should not control the agent.
The skill retrieves repository README content from GitHub and turns it into text summaries, so untrusted repository text can enter the agent's context.
readme = self.fetch_readme(owner, repo) summary = self._extract_text_from_markdown(readme)
Treat fetched README content strictly as untrusted source material to summarize, not as instructions to follow.