Github Trend Observer
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: github-trend-observer Version: 0.1.1 The GitHub Radar skill bundle is a legitimate intelligence tool designed for AI Product Managers to analyze GitHub trends and ecosystems. It utilizes the official GitHub CLI (gh) for authenticated API access and implements its logic through a series of transparent Python scripts (e.g., deep_link.py, radar_pulse.py) that rely solely on the Python standard library. The bundle includes comprehensive documentation, report templates, and a robust automated test suite (test_oss.py) to verify environment readiness and script integrity. No indicators of data exfiltration, malicious command execution, or harmful prompt injection were found; the tool operates strictly within its stated purpose of project discovery and paradigm analysis.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill may access GitHub data available to the authenticated account and consume that account's API quota.
The skill uses the user's local GitHub CLI authentication to make GitHub API requests. This is expected for the tool's purpose, but it means the skill acts through the user's GitHub login.
Powered by the locally authenticated gh CLI + GitHub API ... auth_required: true ... check: "gh auth status"
Use a GitHub account or token with appropriate minimal scopes, and make sure you are comfortable with the skill using your gh CLI login.
Loading or using the skill can run included scripts and make GitHub API calls, which may take time and use rate limit quota.
The onboarding flow instructs the agent to run local Python scripts and tests. This is disclosed and central to the skill's GitHub analysis workflow, but it is still local code execution.
Run the following commands in order ... python scripts/check_rate_limit.py ... cd scripts && python test_oss.py
Review the included scripts if desired, and run the skill only when you are comfortable with local Python execution and GitHub API usage.
Users may not realize from registry metadata alone that the skill depends on executable local scripts and an authenticated GitHub CLI.
The registry metadata does not declare the required gh/Python runtime or GitHub authentication that the skill documentation describes. This is a provenance and metadata completeness gap, not evidence of malicious behavior.
Source: unknown; Homepage: none ... Required binaries ... none ... Primary credential: none ... No install spec
Treat the SKILL.md prerequisites as authoritative, verify the package source if provenance matters, and confirm gh/Python are installed before use.