Upstream Recon
PassAudited by ClawScan on May 1, 2026.
Overview
This instruction-only skill is purpose-aligned and mainly performs read-only GitHub project research before the user interacts with a repository.
This appears safe to install as an instruction-only helper for read-only GitHub reconnaissance. Before using it, make sure you trust the installation source and understand that it will use the GitHub CLI to query repository issues, PRs, and comments.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may run GitHub CLI queries about the requested repository and topic, but the artifacts do not show instructions to modify repositories or accounts.
The skill directs the agent to use an external CLI to query GitHub. This is expected for the skill's purpose and appears read-only, but it is still meaningful tool use that users should recognize.
Use `gh` CLI throughout. Run independent queries in parallel.
Use it for repositories and topics you intend to investigate, and confirm any separate write action, such as posting a comment or opening an issue, before allowing it.
Installing through the documented command may rely on external package or registry resolution even though this reviewed artifact set contains only instruction files.
The README provides a user-directed installation command through npx. This is common setup documentation, not automatic execution, but it depends on the user's trust in the external installer/source.
npx skills add oss-skills/upstream-recon
Install from a trusted source, review the files being added, and prefer the manual copy path if you want to avoid an npx-based installer.