Back to skill
Skillv1.0.6
ClawScan security
GitHub Projects Explorer · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 29, 2026, 7:24 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code and instructions match its description: it queries the GitHub Search API and optionally uses GITHUB_TOKEN to raise rate limits; there are no unexplained credentials, installs, or hidden endpoints.
- Guidance
- This skill appears coherent and implements only GitHub search functionality. Before running: (1) review the included Python script (it uses only the Python stdlib and calls api.github.com); (2) prefer exporting GITHUB_TOKEN in a secure session (export GITHUB_TOKEN=...) rather than echoing it into shell rc files if you want to avoid storing secrets in plaintext configs; (3) create a token with minimal privileges (searching public repos does not require repo scopes) and avoid pasting tokens into logs or screenshots. If you need stronger isolation, run the script in a disposable environment (container/VM).
Review Dimensions
- Purpose & Capability
- okName/description (discover GitHub repos) align with the included Python script and reference doc. All required functionality (topic, stars, days, lang, sort) is implemented and justified.
- Instruction Scope
- noteSKILL.md and the script are narrowly scoped to building and issuing GitHub search requests. The only actionable system instruction suggested is optionally exporting GITHUB_TOKEN (including an example that appends it to ~/.zshrc) — standard but worth noting because it writes a secret to a shell rc file if followed verbatim.
- Install Mechanism
- okNo install spec; this is instruction-only with a small Python script that uses the standard library (urllib). Nothing is downloaded or written by the skill itself during installation.
- Credentials
- okNo required env vars are declared; the only optional environment variable used is GITHUB_TOKEN, which is appropriate and expected for increasing GitHub API rate limits. No other credentials or unrelated environment access is requested.
- Persistence & Privilege
- okSkill does not request always:true, does not modify other skills or system-wide settings, and runs as a one-off script. The only persistence hinted in docs is an optional user action (adding GITHUB_TOKEN to ~/.zshrc).