ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Github Stars Tracker

v1.0.0

GitHub 仓库 Stars 变化监控与通知。追踪指定仓库的 star 增长、fork 变化,发现新趋势。适合开发者关注项目动态。

0· 216·1 current·1 all-time
by@sxliuyu
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description, SKILL.md, and scripts/tracker.py align: the tool queries api.github.com for repo stars and stores state locally. However _meta.json declares required binaries/env (python3, GITHUB_TOKEN) while the registry metadata at the top says no required bins/env — that mismatch is inconsistent and should be reconciled.
!
Instruction Scope
SKILL.md instructs running scripts/tracker.py and setting GITHUB_TOKEN — which is appropriate. The script reads/writes ~/.github-stars-tracker.json and performs network calls only to api.github.com (expected). However there is a coding bug: cmd_status calls fetch_repo (undefined) instead of fetch_repo_info, causing runtime failure for the 'status' command. The script also writes to the user's home directory (normal for a CLI tool but worth noting).
Install Mechanism
No install spec (instruction-only + included script). No remote downloads or installers; lowest-risk install posture. The included code will run locally with Python.
Credentials
The only credential used is GITHUB_TOKEN (to avoid rate limits) which is proportionate to the stated purpose. The manifest (_meta.json) declares this env var; the top-level registry metadata does not — inconsistency to resolve. The script does not send the token to any other endpoint beyond including it in Authorization header to api.github.com.
Persistence & Privilege
The skill does not request elevated platform privileges or always:true. It persists only to a single per-user file (~/.github-stars-tracker.json) which is within the expected scope for a tracker tool.
What to consider before installing
This skill appears to implement a simple GitHub stars/forks tracker and only needs a GitHub personal access token (GITHUB_TOKEN) and Python to run. However: 1) The package/registry metadata is inconsistent with _meta.json — verify which requirements are authoritative. 2) The tracker script writes a JSON file to your home directory (~/.github-stars-tracker.json); check its contents for any sensitive data. 3) The code contains a bug: cmd_status calls fetch_repo (undefined) instead of fetch_repo_info — the 'status' command may fail. 4) There are no hidden endpoints or obfuscated code — network traffic goes to api.github.com with the provided token. Before installing: review the script locally (or run it in an isolated environment), consider creating a PAT with minimal scopes (no repo/write if not needed), and correct the fetch_repo → fetch_repo_info call if you need the status command to work. If you want higher assurance, ask the author for source provenance or a homepage, since the skill's source/homepage are unknown.

Like a lobster shell, security has layers — review code before you run it.

latestvk9777x7h78qxns5sr04qmq0h0d830mwx

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments