ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Openclaw Version Bug Hunter

v1.0.0

查询 OpenClaw 特定版本的 GitHub bug/issue 报告。当用户想要:(1) 查询 OpenClaw 特定版本的 bug/issue,(2) 升级前查看避坑指南,(3) 搜索 GitHub 社区反馈的版本问题,(4) 获取版本稳定性评估,(5) 分析某个版本有多少严重 bug 或 regress...

0· 65·0 current·0 all-time
byNeo Shi@suidge
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
Requires OAuth token
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description match the implementation: the script queries GitHub issues/PRs for openclaw/openclaw. This capability legitimately needs gh (GitHub CLI) and network/GitHub auth. However, the skill metadata lists no required binaries while the SKILL.md and script require gh (and the script also uses jq) — a mismatch between declared requirements and actual needs.
Instruction Scope
SKILL.md and scripts limit activity to querying the GitHub repo (gh issue/pr list/view). The instructions do not read unrelated files, exfiltrate data to external endpoints, or request unrelated credentials. They do assume you will run a local script file and use gh-authenticated access to GitHub.
Install Mechanism
There is no install spec (instruction-only with an included script). That minimizes installer risk. The SKILL.md references ClawHub and a GitHub repo, but no arbitrary download/install steps are defined in the bundle itself.
!
Credentials
The skill declares no required environment variables, but requires gh CLI which in turn uses stored GitHub credentials (gh auth) or environment tokens. The script also uses jq but this is not documented in the dependency list. The absence of declared binary/env requirements is an inconsistency you should verify before running.
Persistence & Privilege
The skill is not marked always:true and does not request elevated/system-wide privileges. It does not modify other skills or system configuration. Autonomous invocation is allowed by platform defaults but not exceptional here.
What to consider before installing
This skill appears to do what it says (search GitHub issues/PRs for a given OpenClaw version), but the package metadata omits required tools. Before installing/running: (1) inspect the included scripts yourself (you already have bug-hunt.sh) to confirm no unexpected behavior; (2) ensure gh and jq are installed and that you understand gh will use your GitHub credentials (check gh auth status and scopes); (3) run the script in a safe context (e.g., a terminal where you can review output) or a sandbox if you're cautious; (4) verify the upstream repo/author (SKILL.md references a GitHub URL) before trusting automated installs. The main issues are documentation/metadata gaps (undeclared dependency on jq and missing binary requirement), not obviously malicious code.

Like a lobster shell, security has layers — review code before you run it.

latestvk97b1sbv9am33815bkyv5rdn3984mdes

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments