Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Github Contribution
v1.4.0GitHub开源项目代码贡献完整工作流程。使用场景:当需要为开源项目解决issue或bug时,提供从fork、同步、开发到提交PR的完整指导。包含Chrome浏览器PR提交支持。
⭐ 0· 693·8 current·8 all-time
byAndy Tien@linux2010
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name and description describe a GitHub contribution workflow which matches the included bash script and docs, but the package claims 'Chrome browser PR submission support' while there is no browser automation code or instructions. Also the skill does not declare required binaries yet the script requires git (and relies on the user's git auth/SSH/credential helper). _meta.json and skill.json show inconsistent version metadata. These are coherence issues you should verify with the author.
Instruction Scope
SKILL.md and the script instruct the agent/user to clone, add remotes, reset, clean, create branches, and push — all expected for this purpose. The instructions prompt the user for confirmation in one case and operate on the user's local repositories. They do not reference unrelated system paths or external endpoints beyond GitHub, and do not attempt to exfiltrate data, but they implicitly depend on the user's Git credentials and local repo state.
Install Mechanism
There is no install spec (instruction-only), which minimizes install risk. However, the skill package includes a shell script file that will be written to disk when the skill is installed or extracted by the platform. The script is plain Bash and not obfuscated; it operates via standard git commands and does not download or execute remote code.
Credentials
The skill declares no required environment variables or credentials, which matches the absence of secrets in files. However, the script uses HOME and relies implicitly on the user's git authentication (SSH keys or credential helpers) and network access to GitHub. The absence of an explicit 'requires: git' or note about needing git/github credentials is a proportionality/documentation gap worth flagging.
Persistence & Privilege
The skill does not request always:true, does not modify other skills or global agent configuration, and does not persist credentials. Its runtime actions are limited to git operations in the user's chosen project directory.
What to consider before installing
This skill appears to implement a standard fork/sync/branch/PR workflow via a Bash script, but please do the following before using it: 1) Inspect scripts/github-contribution.sh yourself (it's short and readable) to confirm it only runs the git commands you expect. 2) Ensure git is installed and that you understand it will use your existing GitHub authentication (SSH keys or credential helper) when pushing/fetching. 3) Ask the author or maintainer to clarify the advertised 'Chrome browser PR submission support' — no browser automation is present. 4) Run the script in a disposable or test directory first (or after cloning a throwaway fork) to confirm behavior. 5) Note the small metadata/version inconsistencies and the unknown source/homepage; prefer skills with clear provenance if you need higher assurance.Like a lobster shell, security has layers — review code before you run it.
contributionvk976gfs7y22m0kaf6z349pe1nx82610nforkvk976gfs7y22m0kaf6z349pe1nx82610ngithubvk976gfs7y22m0kaf6z349pe1nx82610ngithub, contribution, opensource, prvk974aeawbt52hve9xvvrmyznbn824dkvlatestvk97b0094n1f0hfve4h1fjhewv984nv5aprotectionvk976gfs7y22m0kaf6z349pe1nx82610n
License
MIT-0
Free to use, modify, and redistribute. No attribution required.