Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Bounty Hunter Agent
v1.1.0Autonomously scans GitHub, Algora, and Opire for bounty issues, scores by payout and competition, ranks opportunities, and can auto-submit PRs.
⭐ 0· 44·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description claim: scan GitHub, Algora, Opire, rank bounties, and auto-submit PRs / spawn fix sessions. The included script only calls the gh CLI / GitHub API (search, timeline) and produces a local ranked JSON — there is no visible integration with Algora or Opire, no auto-PR submission, and no OpenClaw orchestration in the portion shown. Requesting no special credentials is coherent for a read-only GitHub scanner (it relies on gh auth), but the extra advertised capabilities are not justified by the code.
Instruction Scope
SKILL.md instructs running the script and claims it will check Algora/Opire and can spawn OpenClaw sessions; the script as shown only searches GitHub via gh, extracts payouts, counts PRs, scores, and writes state to ~/.agents/skills/bounty-hunter-agent/state/bounties.json. The instructions are otherwise specific (uses gh CLI), and the script does write local state as documented. The mismatch between declared external integrations/auto-submit and the script is the main scope issue.
Install Mechanism
No install spec (instruction-only) and no third-party packages; the script uses only the Python stdlib and the gh CLI. This is low-risk from an install perspective because nothing is downloaded or extracted by the skill itself.
Credentials
No required env vars are declared; the script accepts optional BOUNTY_* overrides and relies on gh CLI authentication for GitHub access. Asking the user to authenticate gh is appropriate for the stated GitHub scanning purpose. There are no unrelated credential requests.
Persistence & Privilege
The skill persists state to ~/.agents/skills/bounty-hunter-agent/state/bounties.json which is reasonable for avoiding re-scans. always is false and the skill does not request elevated privileges. Nothing indicates modification of other skills or system-wide configs.
What to consider before installing
This skill appears to be a GitHub issue scanner that uses your local gh CLI credentials and stores results under ~/.agents/skills/.../state/bounties.json — that part is coherent and low-risk. However, the README promises extra features (checking Algora/Opire bounties, auto-submitting PRs, and spawning OpenClaw fix sessions) that are not visible in the provided script. Before installing or invoking the skill: 1) request the complete, untruncated script and confirm whether any code actually implements Algora/Opire integrations or PR submission; 2) if you expect automated PR submission, require explicit code review and limit the gh token's permissions (use a token with minimal scopes or run in a throwaway account); 3) consider running the script in a sandbox or with a dry-run option to confirm it only reads data and does not push changes; and 4) if you plan to enable OpenClaw automation, verify the orchestration code and scope so it cannot autonomously modify other repos or exfiltrate tokens. If you cannot verify the missing functionality, treat the advertised auto-submit/third-party integrations as untrusted and avoid granting broader rights.Like a lobster shell, security has layers — review code before you run it.
automationvk97cf4p1seftm5795b41pech2d83q23qbountyvk97cf4p1seftm5795b41pech2d83q23qgithubvk97cf4p1seftm5795b41pech2d83q23qlatestvk97cf4p1seftm5795b41pech2d83q23q
License
MIT-0
Free to use, modify, and redistribute. No attribution required.