ClawHub

Github Trend Observer

v0.1.1

A GitHub Intelligence Tool from an AI PM perspective. Goes beyond displaying data to deliver PM-grade paradigm insights. Powered by the locally authenticated...

0· 178·0 current·0 all-time
by@kun-0546
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (GitHub intelligence / PM insights) aligns with what the package contains: Python scripts that call the GitHub CLI/API, report templates, and guidance. Requiring an authenticated gh CLI (via 'gh auth status') is appropriate and expected.
Instruction Scope
SKILL.md and ONBOARD.md instruct the agent to run only the included Python scripts and the gh CLI to fetch repository metadata, star histories, issues, commits, etc. The instructions do not ask the agent to read arbitrary local files or transmit data to non-GitHub endpoints. The onboarding text requires the agent to output a fixed readiness message, which is unusual but explained in the docs.
Install Mechanism
No install spec is present (instruction-only at registry level). The code bundle contains Python scripts and templates only; there are no downloads from arbitrary URLs or extracted archives. The only external dependency is the well-known gh CLI (install_url points to https://cli.github.com).
Credentials
The skill requests no environment variables and lists no credentials in metadata. It relies on the locally authenticated gh CLI (which uses the user's stored GitHub credentials). This is proportionate to the stated goal, but note that the gh CLI will use whatever GitHub token/config is present in the environment (no new secrets are requested by the skill).
Persistence & Privilege
The skill does not set always:true and does not request persistent platform-level privileges. It runs local scripts and reads GitHub via gh; it does not modify other skills or global agent configuration according to the provided files.
Assessment
This package appears to do what it says: run the local gh CLI and Python scripts to analyze GitHub repo signals. Before installing or running: (1) Ensure you understand that the tool uses your locally authenticated gh CLI (it will run gh commands and thus use whatever GitHub token/identity is configured). (2) Running the onboard/test suite and some modes will consume GitHub API quota—follow the provided rate-limit checks and avoid running heavy tests when quota is low. (3) If you want extra assurance, quickly inspect gh_utils.py (the helper that invokes gh) to confirm it doesn't leak data to external endpoints and review test_oss.py to see what remote calls it performs. (4) Run the scripts in an environment you control (or sandbox) if you are concerned about network calls or API usage. Overall, nothing in the bundle requests unrelated credentials or downloads arbitrary code, so the skill is internally consistent with its purpose.

Like a lobster shell, security has layers — review code before you run it.

latestvk97d2t56ec9ek74nnr5b9t2znn82yh8d

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments