ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Release Tracker

v1.1.0

Track GitHub repository releases and generate prioritized summaries. Supports multiple repos, custom priority keywords, and delivery to Discord (forum posts...

0· 503·0 current·0 all-time
byJO@jo9900
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (track GitHub releases, summarize, deliver to channels) match the instructions: gh CLI commands are used to list and view releases and output formats map to the stated delivery targets. No unrelated binaries, credentials, or install steps are requested.
Instruction Scope
Runtime instructions are narrowly scoped to reading release-tracker.json and the version store, running gh release list/view, summarizing changelogs, and delivering messages. One notable instruction: if release body is sparse it suggests checking a local CHANGELOG at /opt/homebrew/lib/node_modules/<package>/CHANGELOG.md — this is a filesystem read outside the repo but limited to a plausible installed-package location; it could attempt to read local files if a package name is manipulated, so review that behavior before granting broad filesystem access.
Install Mechanism
No install spec; only an included setup.sh that creates config/state files and verifies gh is present and authenticated. No downloads or extracted archives, and the script does not install arbitrary software.
Credentials
The skill declares no required env vars or credentials. It relies on the user's gh authentication (gh auth) — which is appropriate for GitHub access but means the gh token's scopes determine what repos/releases are visible (including private repos). Delivery to Discord/Telegram/Slack appears to use the platform's messaging mechanism (message(action=...)) rather than requesting external tokens; confirm how your agent/OpenClaw is configured to post to those services.
Persistence & Privilege
always:false and normal agent invocation. The skill suggests configuring a cron job to invoke the skill, which is expected for periodic checks. The skill does not request permanent installation or modify other skills/configs.
Assessment
This skill appears to do what it says: it uses the gh CLI to check releases, stores a local state file, and posts summaries via the agent's delivery channels. Before installing: - Ensure gh is installed and authenticated with only the scopes you intend (the gh token determines access to private repos). - Review where you place the workspace (release-tracker.json and state file are written there) and run setup.sh from a directory you control. - Confirm how your OpenClaw agent is configured to deliver messages to Discord/Telegram/Slack so you know which credentials are used and where messages will be sent. - Note the optional local CHANGELOG read (/opt/homebrew/...) — if you have sensitive files under node_modules or similar paths, understand the skill may attempt to read them when a matching package is present. - Run the setup and cron in an isolated session or test environment first to verify behavior and delivery targets.

Like a lobster shell, security has layers — review code before you run it.

latestvk978fvv1436xd2b1v3kb3hbewh81rqgv

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments