ClawHub

GitHunt

v1.0.0

Find and rank GitHub developers by location, technology, and role. Search for candidates, get scored profiles with tech stack matches, activity, and contact info.

5· 2k·2 current·2 all-time
by@mordka
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's name, description, scripts, and SKILL.md consistently describe a GitHub developer discovery service that queries https://api.githunt.ai. That purpose aligns with the network calls in the scripts. However the package metadata declares no required binaries while the included shell scripts require curl, jq, sed, and (in docs/examples) gunzip/grep — a mild inconsistency.
Instruction Scope
Runtime instructions limit actions to building JSON payloads and calling the githunt.ai API (streaming or non‑streaming). They do not instruct reading arbitrary local files or environment variables beyond an optional GITHUNT_API_URL override. Minor inconsistencies exist between variant SKILL.md files (streaming vs non‑streaming endpoints, free preview size 10 vs 15) but nothing directs the agent to exfiltrate unrelated system data.
Install Mechanism
No install spec is provided (instruction-only + scripts). No external archives or third‑party package installs are performed by the skill itself, so nothing is written to disk by an installer step beyond the included files.
Credentials
The skill declares no required credentials or environment variables. The scripts do accept an optional GITHUNT_API_URL env var to override the API endpoint, which is reasonable, but the skill does not declare required runtime tools (curl, jq, gunzip). There are no requests for unrelated secrets or system config paths.
Persistence & Privilege
The skill does not request persistently elevated privileges; always is false and it does not modify other skills or system settings. It only makes outbound API calls when invoked.
What to consider before installing
What to consider before installing: - This skill calls an external, third‑party API (https://api.githunt.ai). If you use it the agent will send search queries (locations, skills, etc.) to that service — verify you trust the operator and their privacy/terms (especially when retrieving contact info). - The included scripts expect command‑line tools (curl, jq, sed and optionally gunzip/grep) even though the metadata lists none. Ensure those binaries are available in your agent runtime or the scripts will fail. - The skill requires no credentials, but it may return contact emails/URLs scraped from public profiles; check legal and privacy implications (GDPR, anti‑spam) before using contact data for outreach. - You can mitigate risk by testing with non-sensitive queries first, or by setting GITHUNT_API_URL to a proxy you control to inspect traffic. - The repository/website listed (githunt.ai / github.com/mordka/githunt) appears in metadata — verify the source and maintainers if you plan to pay for full reports or rely on it in production. Overall: the skill is not obviously malicious, but the mismatched dependency declarations, external API reliance, and contact‑info use justify caution and a quick manual vet (verify domain/repo, confirm required CLI tools, and test with safe queries) before enabling in production.

Like a lobster shell, security has layers — review code before you run it.

latestvk9796v0k60p49pz98yncfh7wg1809ahb

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments