Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
GitHub Bounty Finder Pro
v1.0.2Scan GitHub and Algora for high-value bounties, analyze competition and freshness, score opportunities, and provide actionable recommendations.
⭐ 0· 59·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description match the code: src/scanner.js and bin/cli.js implement GitHub and Algora scanning, competition analysis, scoring and export. The requested environment variables in README/SKILL.md (GITHUB_TOKEN, ALGORA_API_KEY) are appropriate for the stated purpose. However, the skill metadata shown earlier (Requirements: none / Primary credential: none) omits these keys — an inconsistency between declared registry metadata and the runtime docs/code.
Instruction Scope
SKILL.md and bin/cli.js instruct the agent/user to provide GITHUB_TOKEN and ALGORA_API_KEY and to run the CLI. The runtime instructions and code only access those environment variables (via dotenv/process.env), call GitHub (api.github.com) and Algora (api.algora.io), and optionally write an output JSON. There are no instructions to read unrelated system files or send data to unknown endpoints.
Install Mechanism
There is no remote download/install from untrusted URLs; installation is via npm (package.json) or clamphub. Dependencies are standard npm libs (axios, dotenv, commander, chalk). No extract-from-unknown-URL or executable installers are used in the provided files.
Credentials
The code legitimately needs GITHUB_TOKEN and ALGORA_API_KEY, which the docs ask for. But the registry metadata presented earlier (Requirements: none, Primary credential: none) does not declare these required secrets — this mismatch is a red flag because the skill will ask for/expect secrets that are not declared up-front in the registry. Confirm the registry listing and ensure secrets are explicitly declared. Also ensure you provide a token with minimal scope (e.g., public_repo only) and not a full user token.
Persistence & Privilege
The skill does not request 'always: true', does not persist or modify other skills' configs, and only runs when invoked. It does not attempt to enable itself permanently or request elevated platform privileges.
What to consider before installing
This package's code matches its description (it calls GitHub and Algora APIs, scores results, and can save a JSON). However, the registry metadata omitted required env vars while SKILL.md and README instruct you to create a .env with GITHUB_TOKEN and ALGORA_API_KEY. Before installing: 1) verify the package source/repository and maintainer (clawhub.json points to a GitHub URL — inspect that repo). 2) Only provide a GitHub token with minimal scope (public_repo as recommended) — do not use a full account/password or tokens with repo/write/admin scopes. 3) Prefer creating tokens scoped narrowly and run initial scans in an isolated environment (or a throwaway account) to validate behavior. 4) If you plan to use Algora, verify the algora API endpoint and key policy. 5) Consider asking the publisher to correct the registry metadata to explicitly declare the required credentials before supplying secrets. Overall functionality looks coherent, but the metadata/documentation mismatch is the main reason to be cautious.src/scanner.js:11
Environment variable access combined with network send.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
bountyvk97dyaejbr7yvbcvfg7pemqjb983cyncdevelopervk97dyaejbr7yvbcvfg7pemqjb983cyncgithubvk97dyaejbr7yvbcvfg7pemqjb983cynclatestvk97dyaejbr7yvbcvfg7pemqjb983cync
License
MIT-0
Free to use, modify, and redistribute. No attribution required.