Github Trend Observer
PassAudited by ClawScan on May 1, 2026.
Overview
The skill appears to be a legitimate GitHub trend analyzer, but it will run local scripts and use your GitHub CLI login.
Before installing, confirm you are comfortable letting the skill use your authenticated gh CLI and GitHub API quota. Use least-privilege GitHub credentials where possible, expect local Python scripts to run, and note that no evidence of token logging, destructive GitHub actions, or hidden exfiltration appears in the provided artifacts.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill may access GitHub data available to the authenticated account and consume that account's API quota.
The skill uses the user's local GitHub CLI authentication to make GitHub API requests. This is expected for the tool's purpose, but it means the skill acts through the user's GitHub login.
Powered by the locally authenticated gh CLI + GitHub API ... auth_required: true ... check: "gh auth status"
Use a GitHub account or token with appropriate minimal scopes, and make sure you are comfortable with the skill using your gh CLI login.
Loading or using the skill can run included scripts and make GitHub API calls, which may take time and use rate limit quota.
The onboarding flow instructs the agent to run local Python scripts and tests. This is disclosed and central to the skill's GitHub analysis workflow, but it is still local code execution.
Run the following commands in order ... python scripts/check_rate_limit.py ... cd scripts && python test_oss.py
Review the included scripts if desired, and run the skill only when you are comfortable with local Python execution and GitHub API usage.
Users may not realize from registry metadata alone that the skill depends on executable local scripts and an authenticated GitHub CLI.
The registry metadata does not declare the required gh/Python runtime or GitHub authentication that the skill documentation describes. This is a provenance and metadata completeness gap, not evidence of malicious behavior.
Source: unknown; Homepage: none ... Required binaries ... none ... Primary credential: none ... No install spec
Treat the SKILL.md prerequisites as authoritative, verify the package source if provenance matters, and confirm gh/Python are installed before use.