Clawhub Stats Tracker
v1.0.0查看 ClawHub 上已发布 Skill 的运营数据(Stars、Downloads、Installs、版本号、发布时间)。 从 ~/.clawhub/tracked-skills.json 读取跟踪列表,通过 clawhub inspect --json 获取实时数据, 支持单个查询、批量查询和按系列筛选。无...
⭐ 0· 62·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
The skill's behavior (reading ~/.clawhub/tracked-skills.json and calling clawhub inspect) matches its description. However, the package metadata declares no required binaries while the provided script invokes bash, python3 and npx; these expected dependencies are not listed in the metadata.
Instruction Scope
SKILL.md and the script only read the user's ~/.clawhub/tracked-skills.json and call the ClawHub inspect command, then print results locally. The instructions do not request unrelated files, environment secrets, or transmit data to any hidden endpoint.
Install Mechanism
This is instruction-only (no install spec). The script uses `npx clawhub@latest`, which downloads and runs code from the npm registry at runtime. That is functional for the declared purpose but means arbitrary remote package code can be executed each run unless the user pins or pre-installs the clawhub CLI.
Credentials
No credentials or special environment variables are requested. The script only reads a user config under $HOME (~/.clawhub/tracked-skills.json), which is proportionate to the stated goal.
Persistence & Privilege
The skill is not always-enabled and does not request elevated or persistent system presence. It does not modify other skills or system-wide config.
Assessment
This skill is generally coherent and low-risk for its purpose, but take these precautions before running it: (1) Note that the script expects bash, python3 and npx — ensure those are available or update metadata. (2) The script uses `npx clawhub@latest`, which will download and execute the latest npm package each time; if you want to avoid running remote code repeatedly, install a known version of the ClawHub CLI locally (or pin a version) instead of using `@latest`. (3) Inspect the npm package source (openclaw/clawhub) or vendor the CLI if you are concerned about supply-chain risks. (4) Ensure your ~/.clawhub/tracked-skills.json only contains slugs you trust (the script reads that file locally). If you want safer operation, replace `npx ...` with a locally installed, version-pinned binary and add declared required binaries to the skill metadata.Like a lobster shell, security has layers — review code before you run it.
latestvk9720myt7dm2b3je46bt6h7qv583nmgv
License
MIT-0
Free to use, modify, and redistribute. No attribution required.