ClawHub

Git Log Intelligence

v1.0.2

Fetch, filter, and summarize GitHub repository activity without cloning. Use whenever the user asks what changed in a repo, wants a changelog summary, asks a...

0· 73·1 current·1 all-time
byNick Ludlam@nickludlam
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
Requires OAuth token
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match what the package actually does: it queries the GitHub API via the gh CLI and summarizes/filter commits. Required binary (gh) and the GITHUB_PERSONAL_ACCESS_TOKEN env var are appropriate and expected.
Instruction Scope
Runtime instructions tell the agent to run the included python script which uses gh api and reads/writes a local .config/git_filters.json ignore list. The script only accesses the GitHub API (via gh) and the declared env var; it does not reference other system paths or external endpoints. Note: it persists ignore patterns to disk (script-directory/.config/git_filters.json).
Install Mechanism
Instruction-only skill with a bundled script; there is no install spec, no remote downloads, and nothing is written to disk except the script's own .config file when the skill runs.
Credentials
Only requires a single GitHub PAT (GITHUB_PERSONAL_ACCESS_TOKEN) which is translated to GH_TOKEN for gh; SKILL.md correctly recommends minimal scopes (public_repo or repo). No unrelated credentials are requested.
Persistence & Privilege
always:false (normal). The only persistent effect is the ignore-list file saved under .config/git_filters.json relative to the script location; the skill does not modify other skills or system-wide settings. Autonomous invocation is allowed (platform default), so the agent may run the script when invoked by the user.
Assessment
This skill appears coherent, but consider: (1) it requires a GitHub personal access token—grant the minimal scope (public_repo for public repos) and treat the token like a secret; (2) ensure you have the gh CLI installed and that you trust where the skill files are stored—the script will create/modify .config/git_filters.json next to the script (if the skill is installed in a shared or system-owned directory, that file will be written there); (3) review the included python file yourself if you want to be sure no additional behavior is present; (4) if you stop using the skill, delete or rotate the PAT and remove the .config/git_filters.json file to clear persisted ignore patterns; (5) the agent will call the script to interact with GitHub (normal behavior) — there are no hidden external endpoints in the code.

Like a lobster shell, security has layers — review code before you run it.

latestvk97e9r0sx38teypgfmnwjtwg7n84fbtn

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binsgh
EnvGITHUB_PERSONAL_ACCESS_TOKEN

Comments