Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Github Bounty Finder
v1.0.0Scan GitHub and Algora bounties to find high-value, low-competition opportunities with automated scoring and actionable recommendations.
⭐ 0· 81·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The code and SKILL.md clearly require a GITHUB_TOKEN and ALGORA_API_KEY to perform scans, which is coherent with the stated purpose. However, the registry metadata lists no required env vars or primary credential — that omission is inconsistent and could mislead users about what secrets are needed.
Instruction Scope
SKILL.md and the CLI instruct the user to create a .env containing GITHUB_TOKEN and ALGORA_API_KEY and the runtime code reads process.env for those keys. The SKILL.md does not ask for or instruct any other unrelated data access, but the skill documentation references env vars that are not declared in the package/registry metadata — this mismatch is a scope/visibility problem that reduces transparency.
Install Mechanism
There is no ClawHub install spec in the registry (skill said to be 'instruction-only'), but the package includes Node source and a package.json with npm dependencies (axios, node-fetch, dotenv, etc.). Installation will require running npm install (no remote archive downloads observed). It's relatively low technical risk but the lack of install metadata is an inconsistency users should be aware of.
Credentials
The skill legitimately needs GitHub and Algora API credentials to function. However, the registry metadata does not declare those required env vars or a primary credential, and the code expects full tokens in process.env. Ensure tokens are limited-scope (e.g., GitHub public_repo only) and you understand where they will be stored (.env in skill directory).
Persistence & Privilege
The skill is not always-enabled and does not request elevated system-wide privileges. It does not attempt to modify other skills or system configuration. Autonomous invocation is allowed (default), which is expected for skills of this type.
What to consider before installing
What to check before installing: 1) Confirm the author/repository (the registry metadata lists a GitHub repo but owner/publish details are sparse). 2) Don't provide long-lived or broad-scope tokens — create a GitHub token with only the public_repo scope if possible and rotate it after use; verify Algora key scope. 3) Because the registry metadata did not declare required env vars or an install step, assume you'll need to run npm install in the skill folder — review package.json dependencies and run npm audit. 4) Inspect src/scanner.js (it only calls api.github.com and api.algora.io via axios) and verify there are no additional remote endpoints; run the tool first in demo mode to verify behavior before supplying credentials. 5) Prefer running in an isolated environment (container/VM) if you must supply secrets. 6) Ask the publisher to fix the registry metadata to explicitly list required env vars and provide a verified source URL — that fixes the main transparency issue and would raise confidence.src/scanner.js:11
Environment variable access combined with network send.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
latestvk976rwcdfcwa127bem9cv97m2h8376vg
License
MIT-0
Free to use, modify, and redistribute. No attribution required.