ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Chinese Talent Scout

v0.1.1

Discover, score, and monitor Chinese GitHub developers with GitHub signals, rule-based processing, optional OpenClaw AI evaluation, shortlist queries, cron m...

0· 124·0 current·0 all-time
byHuan Du@huandu

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for huandu/chinese-talent-scout.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Chinese Talent Scout" (huandu/chinese-talent-scout) from ClawHub.
Skill page: https://clawhub.ai/huandu/chinese-talent-scout
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install chinese-talent-scout

ClawHub CLI

Package manager switcher

npx clawhub@latest install chinese-talent-scout
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill is built to collect and evaluate GitHub developer signals and uses local 'gh' and 'openclaw' CLIs — this fits the name/description. However the registry metadata lists no required binaries or credentials while SKILL.md explicitly requires Node.js 22+, the gh CLI and the openclaw CLI; that mismatch is an incoherence reviewers should note. The bundle also contains a large Node.js runtime bundle rather than being purely instruction-only, which is reasonable but worth reviewing.
Instruction Scope
Runtime instructions instruct the agent to run collection via the local GitHub CLI and to call OpenClaw agents/messages for AI evaluation and channel delivery. That scope is consistent with the stated purpose but implies the skill will aggregate potentially sensitive profile data and can deliver it via OpenClaw channels. The SKILL.md claims exports are local only and config requests use relative paths, but delivery actions (openclaw message send / agent invocations) can transmit collected data depending on your OpenClaw configuration — you should inspect message payloads and use dry-run options before enabling real channels.
Install Mechanism
No install spec or external downloads are included; the skill is shipped as code files and a small shell wrapper that execs a bundled Node.js script. There are no installer URLs or archive extracts that would raise download/execution concerns.
Credentials
The registry lists no required environment variables or primary credential, which aligns with the package delegating auth to local 'gh' and 'openclaw' CLIs. That delegation is proportionate to the functionality. However the skill sets TALENT_WORKSPACE / TALENT_CONFIG for its child processes and relies on credentials stored in the local GH/OpenClaw environments — if those environments are misconfigured they could cause unintended data delivery. Also the talents.yaml includes external web-scrape seed URLs (e.g., china-ranking.aolifu.org) which are additional network targets your environment will contact.
Persistence & Privilege
The skill does not request always:true and is user-invocable only. It includes cron management commands that will sync jobs into OpenClaw (and can enable/disable cron jobs defined in the workspace), so it can schedule autonomous runs via your OpenClaw instance if you permit it. That scheduling capability is expected but increases blast radius if OpenClaw channels/agents are misconfigured.
What to consider before installing
Before installing: (1) Confirm you want a tool that collects and stores GitHub profile/repo data — this is personal data and may have privacy/legal implications. (2) Review the bundled scripts (scripts/talent-scout.mjs) and the workspace template (workspace-data/talents.yaml) locally to see exactly what is collected and which external URLs are queried (notably any web-scrape seeds). (3) Ensure 'gh' and 'openclaw' are installed and that their configured accounts/credentials are appropriate (use non-production/test accounts initially). (4) Use the provided dry-run modes (e.g., config request --dry-run) to inspect message payloads that would be sent via OpenClaw; validate that exports are local and do not contain secrets. (5) Run the skill in an isolated test workspace first and review output/workspace ZIP contents before sharing. (6) If you do not want automatic runs, do not enable the cron sync or remove/disable cron entries in talents.yaml. These checks will reduce the risk of unintended data transmission or misconfiguration.
scripts/talent-scout.mjs:4715
Shell command execution detected (child_process).
scripts/talent-scout.mjs:5229
Environment variable access combined with network send.
!
scripts/talent-scout.mjs:11490
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk973rp7q0nm0jf2bejx5dajj8183neps
124downloads
0stars
2versions
Updated 1mo ago
v0.1.1
MIT-0
Huan Du@huandu
latest
Download

Chinese Talent Scout Skill

Unified skill entry for the AI Talent Scout system. This skill exposes collection, processing, evaluation, and querying capabilities through a single command surface, suitable for OpenClaw agent scheduling and ClawHub distribution.

Run commands through scripts/talent-scout.sh <command> ....

Safety Summary

  • GitHub collection is executed through the local gh CLI. This skill does not parse or store GitHub tokens itself.
  • AI evaluation, channel delivery, and cron operations are delegated to the local openclaw CLI. Provider credentials and channel accounts are managed by OpenClaw, not embedded in this skill.
  • config request sends only a relative config reference (workspace-data/talents.yaml) plus the requested change. It does not send absolute local filesystem paths.
  • export workspace creates a local ZIP and prints its path. It does not upload files or send attachments by itself.

See Security Notes and Credential Model before publishing or installing in production.

Commands

Pipeline

  • collect — Run data collection from GitHub signals, community repos, and stargazers.
  • process — Merge, deduplicate, identify, and score collected candidates.
  • evaluate — Run AI-assisted evaluation on processed candidates.
  • pipeline — Run the full collect → process → evaluate pipeline.

Query

  • query shortlist — List the current shortlist of evaluated candidates.
  • query candidate <username> — Show details for a specific candidate.
  • query stats — Show run statistics and distributions.

Config

  • config request — Send a channel message asking AI to update workspace-data/talents.yaml without disclosing absolute local paths.

Export

  • export workspace — Package the current workspace-data/ directory as a ZIP and return the local archive path.

Cron

  • cron status — Show configured cron jobs.
  • cron sync — Sync cron jobs to OpenClaw.
  • cron runs — Show recent OpenClaw cron run history.
  • cron run <name> — Show details for a specific cron run.
  • cron disable <name> — Disable a cron job.
  • cron enable <name> — Enable a cron job.

Data Flow

GitHub API → data-collector → output/raw/
  → data-processor → output/processed/
  → ai-evaluator → output/evaluated/
  → dashboard / skills query

Configuration

Mutable workspace configuration lives in workspace-data/talents.yaml. The file is seeded from the packaged template on first use.

Do not store long-lived secrets in workspace-data/talents.yaml. export workspace packages that file into the local archive it creates.

References

Comments

Loading comments...