ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

github-search

v1.0.0

GitHub 仓库深度搜索与分析。支持按关键词、语言、stars、更新时间筛选,获取细分领域最新开源项目。专为技术调研设计。

1· 3.1k·25 current·26 all-time
bytbxsx@linshengli
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description, README, SKILL.md and the included scripts all implement GitHub repository search and detail fetching using the GitHub REST API. The optional use of GITHUB_TOKEN is appropriate for the described functionality. There are small mismatches in naming (SKILL metadata uses 'github-research' while registry slug is 'github-search') but this does not indicate malicious behavior.
Instruction Scope
SKILL.md instructs running the included Node scripts and to optionally set GITHUB_TOKEN. The runtime instructions do not direct reading unrelated files or sending data to unexpected endpoints. Two minor issues: (1) SKILL.md refers to a scripts/batch-detail.mjs and to an absolute workspace path (~/.openclaw/...) that are not present in the package (batch-detail.mjs is missing), and (2) the scripts use child_process.execSync to call curl rather than a native HTTP client — this works but increases reliance on the shell. No instructions request arbitrary file or credential access beyond the optional GitHub token.
Install Mechanism
This is an instruction-only skill with included JS scripts and no install spec or external downloads. Nothing is fetched from remote URLs during install. No high-risk install mechanisms detected.
Credentials
No required environment variables are declared. The code will use GITHUB_TOKEN if present to authenticate to the GitHub API — this is proportional and expected for higher-rate authenticated queries. No other secrets or unrelated environment variables are accessed.
Persistence & Privilege
The skill does not request persistent or elevated privileges; always is false and there is no behavior that modifies other skills or system/global configs.
Assessment
This skill appears to do what it says: search GitHub and produce structured summaries. Before installing or running it, consider: 1) It will use your GITHUB_TOKEN if you set that env var — only provide a token with the minimum scopes needed (no broad org admin tokens). 2) The scripts call curl via execSync (shell invocation); run them in a restricted environment if you distrust the source. 3) SKILL.md mentions a batch-detail script that is not included — if you rely on that feature, request the missing file from the author. 4) The package is small and has no external installer, but still review the scripts for any custom modifications you require and prefer running them in a sandbox the first time. If you want higher assurance, ask the publisher for provenance (source repo, homepage) or for the missing batch-detail script and a justification for using curl over built-in HTTP libraries.

Like a lobster shell, security has layers — review code before you run it.

latestvk97apcaxsk0w8rwxn5hfdysxd98211bh

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🐙 Clawdis

Comments