github-bounty-hunter-v2
Security checks across malware telemetry and agentic risk
Overview
The included code matches the stated GitHub bounty-search purpose and shows no secret access, persistence, file modification, or hidden behavior; users should only verify the package/name before running the npx commands.
This appears safe for its stated use: it contacts GitHub’s public API and prints public issue results. Before installing, verify the command/package name because the registry slug includes “v2” while the documented npx command does not.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user copying the commands without checking could run a differently named package than the registry slug suggests.
The skill asks users to install/run an npm-style command. Because the registry entry is named github-bounty-hunter-v2 while the documented command and package name are github-bounty-hunter, users should verify they are executing the intended artifact.
Installation: `npx clawhub install github-bounty-hunter` ... Usage: `npx github-bounty-hunter`
Install from the trusted ClawHub entry and confirm the package name/version before using the npx command.