ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Search recent repo activities

v1.0.0

Fetch recent GitHub activity from the Nom feed

0· 569·0 current·0 all-time
byWilson Ler@lws803
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description say 'Fetch recent GitHub activity from the Nom feed' and the instructions only call the Nom API endpoints on beta.nomit.dev with curl and format results. No unrelated env vars, binaries, or installs are requested — the requested capabilities match the stated purpose.
Instruction Scope
SKILL.md only instructs fetching JSON or RSS from beta.nomit.dev and summarizing items; it does not reference local files, other env vars, or unrelated services. Note: it relies on a third‑party endpoint (beta.nomit.dev) rather than the official GitHub API — this is expected for the stated purpose but is a trust/availability consideration.
Install Mechanism
No install spec or code files (instruction-only). This is the lowest-risk option — nothing is written to disk or downloaded by the skill itself.
Credentials
The skill requires no environment variables, credentials, or config paths. That matches its use of a public feed and is proportionate.
Persistence & Privilege
always is false and the skill has no install hooks or configuration changes. It does not request persistent privileges or access to other skills' configuration.
Assessment
This skill is coherent and low-risk in its current form because it only performs public HTTP requests to beta.nomit.dev and formats results. Before installing, verify you trust the third-party feed host (beta.nomit.dev) — it will see request metadata and could supply misleading content. If you expect private or authenticated data, confirm the skill would require appropriate credentials (none are requested now). Also consider rate limits and whether you prefer data from GitHub's official API instead of a third-party aggregator.

Like a lobster shell, security has layers — review code before you run it.

latestvk97d4y7xh4r0xbndxcxhyhc0y181hct0

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments