ClawHub

Algora Bounty Assistan

v1.0.0

Automatically search for low-competition GitHub bounty tasks (comments < 5) and generate a clean report with details and estimated difficulty.

0· 86·0 current·0 all-time
by@santosparra651-arch
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the included scripts: both search and analyze scripts call the GitHub Search API for issues labeled 'bounty' and generate reports. No unrelated binaries, credentials, or services are requested.
Instruction Scope
SKILL.md and the scripts limit behavior to querying api.github.com and printing reports. The README suggests authenticated GitHub API access for higher rate limits, but the package does not declare any required env vars (e.g., GITHUB_TOKEN) nor do the scripts read env vars — this is a minor mismatch but not malicious. The instructions do not ask the agent to read local files or send data to unexpected endpoints.
Install Mechanism
There is no install spec in the registry entry (instruction-only skill). The repository includes package.json and small scripts; there are no downloads from unknown URLs or extract steps. Running via npx would execute the included script behavior — expected for a CLI tool.
Credentials
The skill requests no environment variables or credentials. Its functionality (GitHub Search API) can work unauthenticated but with strict rate limits; the SKILL.md's suggestion to authenticate is reasonable but optional. No unrelated secrets are requested.
Persistence & Privilege
The skill does not request always:true, does not modify other skills or system configs, and has no elevated persistence or privilege requests.
Assessment
This skill appears coherent and limited to querying the public GitHub Search API and printing results. Before installing: (1) review the small scripts yourself (they are included and readable); (2) if you provide a GITHUB_TOKEN for better rate limits, use a least-privilege token and do not expose long-lived personal tokens unnecessarily; (3) be aware that running code via npx will execute the package's scripts — run in a safe environment if you don't trust the publisher; (4) confirm the publisher/owner if provenance matters (no homepage or recognizable author is provided). Overall the footprint is small and proportional to the stated purpose.

Like a lobster shell, security has layers — review code before you run it.

latestvk977a70em3the3rk2ftjnnqa9583a5b1

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments