v1.0.0

OSS Contributor

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 6:12 AM.

Analysis

Review recommended: this skill is openly designed for OSS contribution, but it can use your GitHub token to automatically create public GitHub activity without per-action approval.

GuidanceInstall only if you are comfortable delegating GitHub contribution activity to the agent. Start with --dry-run, avoid --auto/--yes, use explicit --repos instead of discovery, set conservative limits and blocklists, use a least-privilege GitHub token or dedicated account, and sandbox any repository test execution.

Findings (6)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityHighConfidenceHighStatusConcern

SKILL.md

If `--auto` or `--yes`: proceed with all issues automatically.

The skill explicitly allows unattended processing; combined with its stated PR-opening purpose, this can publish GitHub actions without per-PR review.

User impactThe agent could create forks, branches, PRs, or related public activity under your GitHub account without you approving each change.

RecommendationUse --dry-run or normal confirmation by default, avoid --auto/--yes unless repos are tightly scoped, and require human review before any public PR is opened.

Unexpected Code Execution

SeverityMediumConfidenceMediumStatusConcern

SKILL.md

"--discover | false | Find trending repos matching your topics" ... "always_run_tests": true

The skill can discover public repos and its example config encourages running tests; test commands in arbitrary repositories can execute untrusted project code if run without containment.

User impactA malicious or compromised repository could cause local command execution if the agent runs that repo's test scripts during automated contribution work.

RecommendationOnly run tests for repos you explicitly trust, use a sandbox/container for repo code, and avoid combining --discover, --auto, and automatic test execution.

Agentic Supply Chain Vulnerabilities

SeverityLowConfidenceHighStatusNote

SKILL.md

"requires": { "bins": ["curl", "git"] } ... "curl ... | jq -r '.login'"

The instructions use jq, but the declared binary requirements list only curl and git.

User impactThe skill may fail or rely on an undeclared local dependency during setup or execution.

RecommendationDeclare jq as a required binary or replace the jq-dependent command with a declared, available tool.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityHighConfidenceHighStatusConcern

SKILL.md

"forks repos, implements fixes, and opens PRs on your behalf" ... "GH_TOKEN is already in the environment."

The skill delegates GitHub account authority to the agent, but the artifacts do not bound the token scopes or restrict it to a dedicated low-privilege account.

User impactWhatever permissions GH_TOKEN has may be used for visible activity tied to your GitHub identity, and an over-scoped token could expose more authority than intended.

RecommendationUse a dedicated fine-grained GitHub token or separate account with the minimum permissions needed, restrict target repos, and revoke the token when not in use.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication

SeverityLowConfidenceMediumStatusNote

SKILL.md

| --notify-channel | _(none)_ | Telegram channel for PR notifications |

The skill documents an optional external notification channel, but the artifact does not define destination verification or the exact data sent.

User impactPR or activity notifications could be sent to an unintended Telegram channel if the flag is used incorrectly.

RecommendationDo not use --notify-channel unless you control the destination and understand what will be sent.

Memory and Context Poisoning

SeverityLowConfidenceHighStatusNote

SKILL.md

ACTIVITY_FILE="$HOME/clawd/memory/oss-activity.json" ... HISTORY_FILE="$HOME/clawd/memory/oss-history.json"

The skill stores persistent contribution activity and issue history that can influence later runs.

User impactLocal history can affect which issues are skipped or retried and may reveal your contribution activity on a shared machine.

RecommendationReview or clear these memory files periodically, especially before sharing the environment or changing GitHub identities.