Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Github Reader
v3.1.3Automatically interprets GitHub repositories to generate structured reports with project stats, core features, architecture highlights, and quick links.
⭐ 0· 310·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The files and runtime instructions align with the described purpose: the code fetches GitHub API data, optionally scrapes third-party analysis (zread.ai), renders pages via a browser tool, and caches results. No unrelated credentials or exotic binaries are requested. One minor note: registry metadata indicated 'instruction-only' (no install spec) while the package actually includes code and an install script—this is plausible but should be noticed.
Instruction Scope
SKILL.md tells users to run the packaged install script and restart the agent gateway (expected). However a pre-scan found 'unicode-control-chars' in SKILL.md (prompt-injection pattern). The docs include references to local endpoints (http://localhost:8080 for GitView) and third-party zread.ai—these are expected for functionality, but the presence of unicode control characters in the skill documentation is suspicious because such characters can be used to hide or alter prompts and may attempt to manipulate model parsing. Also SECURITY_AUDIT.md and PACKAGE.md include diagnostic commands that reference local paths, but they do not directly instruct the skill to read arbitrary unrelated user files.
Install Mechanism
Install is via a packaged shell script (install_v3_secure.sh) that copies the included files into a user skill directory and creates /tmp/gitview_cache. There are no external downloads, no use of URL shorteners or untrusted hosts in the installer, and files are local to the package—this is lower risk than remote installs. The install script does set permissions and creates directories in the user's home and /tmp, which is expected for a skill that caches data.
Credentials
No required secrets or primary credential are declared. Environment variables referenced are all configuration flags for caching, timeouts, and concurrency (GITVIEW_*) which are proportionate to the functionality. Documentation mentions optional future support for a GITHUB_TOKEN for private repos, but that is not required now.
Persistence & Privilege
The skill is not marked always:true and is user-invocable only (normal). The installer copies files into the user's skill directory and creates a cache directory; it does not request or attempt to modify other skills or global system settings. Autonomous invocation is allowed by default but not an additional privilege in this package.
Scan Findings in Context
[unicode-control-chars] unexpected: Detected control/unicode characters in SKILL.md that may be used for prompt-injection or to hide content from cursory inspection. This is not needed for a GitHub analysis skill and should be inspected in the raw file before trusting the package.
What to consider before installing
What to consider before installing:
1) Prompt-injection artifact: SKILL.md contains unicode control characters (scanner flagged 'unicode-control-chars'). Open the SKILL.md in a hex-capable editor or use a script (e.g., grep -nP '\p{C}' or hexdump) to confirm and remove any invisible characters. Treat that as a red flag until explained by the author.
2) Source trust: The package lists a GitHub repository URL placeholder and the skill's source/homepage is 'unknown' in the registry metadata. Prefer installing only from a verifiable source (official repo or known author). Verify the repository and author (Krislu / '虾软') before trusting the package.
3) Network behavior: The skill will call api.github.com and optionally zread.ai, and may use a headless browser to render pages (the 'browser' tool). If you run this skill, consider restricting its network access (or run in a sandbox) if you don't want it contacting third‑party services. The localhost GitView URL is expected but monitor to ensure no unexpected internal network access occurs.
4) Run in a safe environment first: Install and test in an isolated environment (VM or container) and monitor network traffic (tcpdump) and file writes (/tmp/gitview_cache). The installer only copies packaged files, but you should still inspect the Python files (especially github_reader_v3_secure.py) for any obfuscated or hidden code before enabling it in production.
5) Credentials: This skill does not require credentials now. Do not supply a GITHUB_TOKEN or other secrets unless you understand and accept the risk. The docs mention adding GITHUB_TOKEN to support private repos in a future release—only provide it if you trust the package and host.
6) If you need to move forward: (a) inspect SKILL.md and python source for hidden characters or obfuscation, (b) verify the package repository and recent commits, (c) run static analysis / lint and run the skill with restricted network and filesystem permissions, (d) confirm the security claims in SECURITY_AUDIT.md by running the test cases locally.
If the unicode-control characters are explained (benign encoding artifact) and the package origin is verified, this assessment would likely move to 'benign'.Like a lobster shell, security has layers — review code before you run it.
latestvk97attn1b0mvmaezmvp0et3ccn83cesm
License
MIT-0
Free to use, modify, and redistribute. No attribution required.