ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

GitHub Team Collaboration

v1.0.0

GitHub team collaboration toolkit for managing team workflows, code reviews, issue tracking, sprint planning, and team metrics. Supports PR automation, issue...

0· 21·0 current·0 all-time
byLv Lancer@kaiyuelv
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The name, description, SKILL.md, and included Python code all align: they implement GitHub PR, issue, milestone and metric functionality and call api.github.com as expected. However, the registry metadata claims no required environment variables or primary credential while both SKILL.md and the code require a GITHUB_TOKEN — this mismatch is a packaging inconsistency.
!
Instruction Scope
SKILL.md instructs the agent/user to set GITHUB_TOKEN and to import/use the provided functions only (which is appropriate). The runtime code does one unexpected/undesirable thing: when run as __main__ it prints the first 10 characters of the token to stdout (token[:10]...), which can expose part of the secret in logs or consoles. There are no instructions to read other system files or unrelated environment variables.
Install Mechanism
There is no install spec that downloads arbitrary artifacts. The package is instruction-and-code only, with a small requirements.txt (requests, python-dateutil) that matches the code. No suspicious external URLs or archive extraction were seen.
!
Credentials
The code and SKILL.md require a single environment secret (GITHUB_TOKEN) which is appropriate for GitHub API access, but the registry metadata incorrectly lists 'none' for required env vars and primary credential. That mismatch weakens trust and could lead to the agent being allowed to run without necessary consent checks. The skill does not request any other unrelated credentials.
Persistence & Privilege
The skill is not always-enabled, doesn't request elevated platform privileges, and does not modify other skills or system-wide settings. Autonomous invocation is allowed (platform default) but not combined with broad undeclared credential access.
What to consider before installing
This package appears to implement the GitHub features it advertises, but note two practical concerns before installing or running it: (1) the skill uses a GitHub personal access token (GITHUB_TOKEN) but the registry metadata did not declare that — treat this as a packaging bug and expect to provide the token yourself; (2) the module prints the first 10 characters of your token when executed as a script, which can leak secrets into logs or consoles. Before using: verify the source/trustworthiness, prefer a token with minimal scopes (repo/read/write as needed), avoid running the package's __main__ in environments where logs are exposed (or remove the token-printing lines), and update or ask the publisher to correct the metadata to declare GITHUB_TOKEN as a required credential. If you need higher assurance, review or run the included tests locally and consider using a GitHub App or least-privilege token instead of a broad PAT.

Like a lobster shell, security has layers — review code before you run it.

collaborationvk9774jb2h9b0t60x3r81hdp93x855ba4devopsvk9774jb2h9b0t60x3r81hdp93x855ba4githubvk9774jb2h9b0t60x3r81hdp93x855ba4latestvk9774jb2h9b0t60x3r81hdp93x855ba4teamvk9774jb2h9b0t60x3r81hdp93x855ba4
21downloads
0stars
1versions
Updated 8h ago
v1.0.0
MIT-0
Lv Lancer@kaiyuelv
collaborationdevopsgithublatestteam
Download

GitHub Team Collaboration

A comprehensive toolkit for managing GitHub team workflows, code reviews, and project coordination.

Features

  • Pull Request Automation: Auto-assign reviewers, check PR status, merge strategies
  • Issue Management: Triage, label, assign, and track issues
  • Sprint Planning: Milestone management, burndown charts, velocity tracking
  • Team Metrics: PR review time, issue resolution time, contributor stats
  • Workflow Automation: Branch protection, status checks, release management

Usage

Manage Pull Requests

from scripts.github_team import list_open_prs, assign_reviewers

# List open PRs
prs = list_open_prs("myorg", "myrepo")

# Auto-assign reviewers
assign_reviewers("myorg", "myrepo", 123, ["alice", "bob"])

Track Sprint Progress

from scripts.github_team import get_milestone_progress

# Get sprint progress
progress = get_milestone_progress("myorg", "myrepo", "Sprint-15")
print(f"Closed: {progress['closed_issues']}/{progress['total_issues']}")

Team Metrics

from scripts.github_team import get_team_metrics

# Analyze team metrics
metrics = get_team_metrics("myorg", "myrepo", days=30)
print(f"Avg review time: {metrics['avg_review_time']} hours")

GitHub API Authentication

Set your GitHub token as an environment variable:

export GITHUB_TOKEN="ghp_your_token_here"

Supported Operations

  • Repository management
  • Pull request lifecycle
  • Issue tracking and triage
  • Milestone and project management
  • Team member activity
  • Release management
  • Webhook configuration

Comments

Loading comments...