v1.0.0

github-bounty-hunter-v2

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 7:53 AM.

Analysis

The included code matches the stated GitHub bounty-search purpose and shows no secret access, persistence, file modification, or hidden behavior; users should only verify the package/name before running the npx commands.

GuidanceThis appears safe for its stated use: it contacts GitHub’s public API and prints public issue results. Before installing, verify the command/package name because the registry slug includes “v2” while the documented npx command does not.

Findings (1)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities

SeverityLowConfidenceHighStatusNote

SKILL.md

Installation: `npx clawhub install github-bounty-hunter` ... Usage: `npx github-bounty-hunter`

The skill asks users to install/run an npm-style command. Because the registry entry is named github-bounty-hunter-v2 while the documented command and package name are github-bounty-hunter, users should verify they are executing the intended artifact.

User impactA user copying the commands without checking could run a differently named package than the registry slug suggests.

RecommendationInstall from the trusted ClawHub entry and confirm the package name/version before using the npx command.