GitHunt
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: githunt Version: 1.0.0 The OpenClaw skill bundle for 'githunt' is benign. All files, including the `SKILL.md` instructions and the `githunt-search.sh` scripts, consistently describe and implement interactions with the `https://api.githunt.ai` service for finding GitHub developers. There is no evidence of data exfiltration, malicious execution, persistence, prompt injection attempts against the agent, or obfuscation. The scripts use standard shell commands (`curl`, `jq`, `sed`) to interact with the specified API and process its output, which is aligned with the stated purpose of the skill.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your location, role, and skill search terms may be sent to githunt.ai to retrieve ranked GitHub profiles.
The helper script sends the user’s search parameters to the GitHunt API. This is expected for a developer-search skill, but it means search criteria are shared with an external service.
curl -s -N -X POST "$API_URL/rank/users/stream" ... -d "$payload"
Use the skill only for searches you are comfortable sending to the GitHunt service, and review the service’s terms/privacy practices if that matters for your workflow.
The helper script may fail or behave differently if required local tools are unavailable, but no hidden installation or remote code execution is shown.
The included helper script depends on local command-line tools such as curl and jq, while the registry requirements list no required binaries. This appears to be an under-declared but purpose-aligned helper dependency.
response=$(curl -s -X POST "$API_URL/rank/users" ... --compressed 2>/dev/null) ... jq -r
If using the script rather than the documented curl examples, make sure curl and jq are installed and inspect the script before running it.