ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Github Bounty Finder

v1.0.0

Scan GitHub and Algora bounties to find high-value, low-competition opportunities with automated scoring and actionable recommendations.

0· 173·0 current·0 all-time
by@lvjunjie-byte

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for lvjunjie-byte/github-bounty-finder-cn.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Github Bounty Finder" (lvjunjie-byte/github-bounty-finder-cn) from ClawHub.
Skill page: https://clawhub.ai/lvjunjie-byte/github-bounty-finder-cn
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install github-bounty-finder-cn

ClawHub CLI

Package manager switcher

npx clawhub@latest install github-bounty-finder-cn
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The code and SKILL.md clearly require a GITHUB_TOKEN and ALGORA_API_KEY to perform scans, which is coherent with the stated purpose. However, the registry metadata lists no required env vars or primary credential — that omission is inconsistent and could mislead users about what secrets are needed.
!
Instruction Scope
SKILL.md and the CLI instruct the user to create a .env containing GITHUB_TOKEN and ALGORA_API_KEY and the runtime code reads process.env for those keys. The SKILL.md does not ask for or instruct any other unrelated data access, but the skill documentation references env vars that are not declared in the package/registry metadata — this mismatch is a scope/visibility problem that reduces transparency.
Install Mechanism
There is no ClawHub install spec in the registry (skill said to be 'instruction-only'), but the package includes Node source and a package.json with npm dependencies (axios, node-fetch, dotenv, etc.). Installation will require running npm install (no remote archive downloads observed). It's relatively low technical risk but the lack of install metadata is an inconsistency users should be aware of.
!
Credentials
The skill legitimately needs GitHub and Algora API credentials to function. However, the registry metadata does not declare those required env vars or a primary credential, and the code expects full tokens in process.env. Ensure tokens are limited-scope (e.g., GitHub public_repo only) and you understand where they will be stored (.env in skill directory).
Persistence & Privilege
The skill is not always-enabled and does not request elevated system-wide privileges. It does not attempt to modify other skills or system configuration. Autonomous invocation is allowed (default), which is expected for skills of this type.
What to consider before installing
What to check before installing: 1) Confirm the author/repository (the registry metadata lists a GitHub repo but owner/publish details are sparse). 2) Don't provide long-lived or broad-scope tokens — create a GitHub token with only the public_repo scope if possible and rotate it after use; verify Algora key scope. 3) Because the registry metadata did not declare required env vars or an install step, assume you'll need to run npm install in the skill folder — review package.json dependencies and run npm audit. 4) Inspect src/scanner.js (it only calls api.github.com and api.algora.io via axios) and verify there are no additional remote endpoints; run the tool first in demo mode to verify behavior before supplying credentials. 5) Prefer running in an isolated environment (container/VM) if you must supply secrets. 6) Ask the publisher to fix the registry metadata to explicitly list required env vars and provide a verified source URL — that fixes the main transparency issue and would raise confidence.
src/scanner.js:11
Environment variable access combined with network send.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk976rwcdfcwa127bem9cv97m2h8376vg
173downloads
0stars
1versions
Updated 22h ago
v1.0.0
MIT-0
@lvjunjie-byte
latest
Download

GitHub Bounty Finder Skill

🎯 Find high-value GitHub and Algora bounties with automated competition analysis

Description

GitHub Bounty Finder is a powerful scanning tool that helps developers discover lucrative bounty opportunities on GitHub and Algora. It automatically analyzes competition levels, scores opportunities, and provides actionable recommendations.

Features

  • 🔍 Multi-Platform Scanning: Scan both GitHub Issues and Algora bounties
  • 📊 Competition Analysis: Analyze PR counts, comments, and engagement
  • 🎯 Smart Filtering: Auto-filter low-competition, high-value opportunities
  • 💰 Opportunity Scoring: 0-100 scoring algorithm based on value, competition, and freshness
  • 🤖 Automated Recommendations: Get actionable insights for each bounty
  • 📈 Pricing Intelligence: Market-based pricing recommendations

Installation

# Install via clawhub
clawhub install github-bounty-finder

# Or install manually
cd skills/github-bounty-finder
npm install

Configuration

Create a .env file in the skill directory:

GITHUB_TOKEN=your_github_personal_access_token
ALGORA_API_KEY=your_algora_api_key

Getting API Keys

  1. GitHub Token:

    • Go to GitHub Settings → Developer settings → Personal access tokens
    • Create a token with public_repo scope

  2. Algora API Key:

Usage

Basic Scan

github-bounty-finder scan

Advanced Options

# Custom search query
github-bounty-finder scan --query "bug bounty"

# Set minimum bounty amount
github-bounty-finder scan --min-bounty 500

# Limit competition (max comments)
github-bounty-finder scan --max-competition 3

# GitHub only
github-bounty-finder scan --github-only

# Save results to file
github-bounty-finder scan --output results.json

Demo Mode

github-bounty-finder demo

Check Configuration

github-bounty-finder config

Output Format

The scanner returns structured data:

{
  "bounties": [
    {
      "id": 123,
      "title": "Fix memory leak",
      "url": "https://github.com/...",
      "bountyAmount": 1500,
      "comments": 0,
      "score": 95,
      "competitionLevel": "None",
      "recommendedAction": "🔥 HIGH PRIORITY - Apply immediately"
    }
  ],
  "totalFound": 25,
  "highPriority": 5,
  "goodOpportunities": 12,
  "pricingRecommendation": {
    "recommendedPrice": 149,
    "currency": "USD",
    "billingCycle": "monthly"
  }
}

Opportunity Scoring Algorithm

Scores are calculated based on:

  • Bounty Value (0-30 points): Higher bounties score better

    • $1000+: +30 points
    • $500+: +20 points
    • $200+: +10 points

  • Competition Level (0-40 points): Less competition is better

    • 0 comments: +40 points
    • 1-2 comments: +30 points
    • 3-5 comments: +20 points
    • 6-10 comments: +10 points

  • Freshness (0-20 points): Newer is better

    • ≤3 days: +20 points
    • ≤7 days: +15 points
    • ≤14 days: +10 points
    • ≤30 days: +5 points

Pricing Strategy

Recommended Price: $149/month

Justification:

  • Average bounty value: $500-2000
  • Time saved: 10-20 hours/week on manual searching
  • ROI: One successful bounty covers 3-6 months subscription
  • Target market: Professional developers, bounty hunters, OSS contributors

Expected Revenue: $3,000-8,000/month

  • Conservative: 20 subscribers × $149 = $2,980/month
  • Target: 50 subscribers × $149 = $7,450/month
  • Optimistic: 100 subscribers × $149 = $14,900/month

Integration Examples

Node.js

const BountyScanner = require('github-bounty-finder');

const scanner = new BountyScanner({
  minBounty: 200,
  maxCompetition: 5
});

const results = await scanner.scan({
  github: true,
  algora: true,
  limit: 100
});

console.log(`Found ${results.highPriority} high-priority bounties!`);

CLI Automation

# Daily scan with cron
0 9 * * * github-bounty-finder scan --min-bounty 500 --output /path/to/results.json

Troubleshooting

API Rate Limits

If you hit GitHub API rate limits:

  • Use authenticated requests (set GITHUB_TOKEN)
  • Reduce scan frequency
  • Increase delay between requests

No Results Found

  • Lower your --min-bounty threshold
  • Increase --max-competition limit
  • Try different search queries

License

MIT

Support

For issues and feature requests, visit the GitHub repository.

Made with 🐉 by OpenClaw Skills

Comments

Loading comments...