GitHub Analyzer
PassAudited by ClawScan on May 1, 2026.
Overview
The skill matches its GitHub repository analysis purpose; the main cautions are unverified provenance, generated deployment commands, and untrusted README text saved in reports.
This skill appears safe for its stated purpose if you are comfortable running a small shell script that queries public GitHub endpoints and writes local Markdown reports. Before installing or using it, review the script, choose an output directory intentionally, and do not automatically run deployment commands or follow instructions embedded in README excerpts from analyzed repositories.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Users have less external context for validating the publisher or update history.
The provided metadata does not identify a source repository or homepage, which makes provenance harder to verify even though the bundled files are visible for review.
Source: unknown Homepage: none
Review the included script before use and prefer a verified upstream source if one becomes available.
If a user or agent blindly runs the generated deployment commands, untrusted repository code or dependencies could execute locally.
The script includes deployment commands such as docker-compose, npm, pip, go, cargo, and make in generated reports. These are recommendations and are not executed by the script, but following them could run code from the analyzed project.
DEPLOY_ADVICE="推荐使用 Docker 部署\n\`\`\`bash\ndocker-compose up -d\n\`\`\`"
Treat deployment commands as suggestions only; inspect the target repository and dependency files before running them.
A generated report may preserve untrusted repository text that should not be treated as authoritative instructions.
The script fetches repository README content and saves the first 50 lines into a persistent local Markdown report. That content is controlled by the analyzed repository and could contain misleading instructions or prompt-injection text if later read by an agent.
README_FIRST_LINES=$(echo "$README_CONTENT" | head -50)
When reviewing reports, treat README excerpts as untrusted project content and do not let them override user intent or security decisions.