ClawHub

github-bounty-hunter-v2

v1.0.0

Automatically search for low-competition GitHub bounty tasks (comments < 5) and generate a clean report with details and estimated difficulty.

0· 97·0 current·0 all-time
by@santosparra651-arch
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description align with the code: scripts/search.js builds a GitHub Search API query for label:bounty, filters by comment count, sorts results, and prints a report. No unrelated capabilities (cloud creds, filesystem scanning, or external endpoints) are present.
Instruction Scope
SKILL.md instructs running the included Node script via npx and documents expected behavior. The instructions and script only perform GitHub API GET requests and print a report — they do not read local files or exfiltrate data. Minor mismatch: SKILL.md mentions authenticated API access for higher rate limits but neither requires nor documents passing a token to the script.
Install Mechanism
No install spec is present (instruction-only skill), and the repo includes package.json and a runnable script. The example npx install/usage implies an npm-distributed package; no remote downloads or extract/install steps occur in the provided files. Verify registry provenance before running npx against an unknown package name.
Credentials
The skill requests no environment variables or credentials. This is proportionate to the included code (which makes unauthenticated API calls). However, SKILL.md suggests optional authenticated GitHub API access for higher rate limits — the script does not currently accept or document a GITHUB_TOKEN environment variable, so users expecting token-based auth would need to modify the script.
Persistence & Privilege
Skill does not request persistent/always-on presence (always:false) and does not modify other skills or system-wide settings. It runs as a simple one-off CLI script with no privileged behavior.
Assessment
This skill appears coherent and straightforward, but take these precautions before installing/running: - Review the included scripts (already small and readable) — they only call api.github.com and print results. - The package/skill source is 'unknown'; if you plan to run npx github-bounty-hunter or install from a registry, verify the package publisher and checksum to avoid fetching a different package with malicious code. - If you need higher GitHub rate limits, the script must be edited to send an Authorization: token header (it currently does not read GITHUB_TOKEN). Don't paste secrets into third-party tools unless you trust the publisher. - Running the script requires Node.js and will make outbound HTTPS requests to api.github.com; run it from a non-privileged account and avoid running as root. - If you want stricter guarantees, request the publisher's repository/homepage or run the included script locally rather than via npx from an unknown registry.

Like a lobster shell, security has layers — review code before you run it.

github-bounty-hunter-v2vk975ea1m8ws2w63atc2dme2r2s83b84rlatestvk975ea1m8ws2w63atc2dme2r2s83b84r

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments