Back to skill
Skillv1.0.0
ClawScan security
Github Stars Tracker · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
ReviewMar 16, 2026, 7:50 AM
- Verdict
- Review
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill generally matches a stars-tracker tool, but there are internal inconsistencies (manifest vs registry) and a buggy reference in the script that suggest sloppy/unfinished implementation — review before use.
- Guidance
- This skill appears to implement a simple GitHub stars/forks tracker and only needs a GitHub personal access token (GITHUB_TOKEN) and Python to run. However: 1) The package/registry metadata is inconsistent with _meta.json — verify which requirements are authoritative. 2) The tracker script writes a JSON file to your home directory (~/.github-stars-tracker.json); check its contents for any sensitive data. 3) The code contains a bug: cmd_status calls fetch_repo (undefined) instead of fetch_repo_info — the 'status' command may fail. 4) There are no hidden endpoints or obfuscated code — network traffic goes to api.github.com with the provided token. Before installing: review the script locally (or run it in an isolated environment), consider creating a PAT with minimal scopes (no repo/write if not needed), and correct the fetch_repo → fetch_repo_info call if you need the status command to work. If you want higher assurance, ask the author for source provenance or a homepage, since the skill's source/homepage are unknown.
Review Dimensions
- Purpose & Capability
- noteName/description, SKILL.md, and scripts/tracker.py align: the tool queries api.github.com for repo stars and stores state locally. However _meta.json declares required binaries/env (python3, GITHUB_TOKEN) while the registry metadata at the top says no required bins/env — that mismatch is inconsistent and should be reconciled.
- Instruction Scope
- concernSKILL.md instructs running scripts/tracker.py and setting GITHUB_TOKEN — which is appropriate. The script reads/writes ~/.github-stars-tracker.json and performs network calls only to api.github.com (expected). However there is a coding bug: cmd_status calls fetch_repo (undefined) instead of fetch_repo_info, causing runtime failure for the 'status' command. The script also writes to the user's home directory (normal for a CLI tool but worth noting).
- Install Mechanism
- okNo install spec (instruction-only + included script). No remote downloads or installers; lowest-risk install posture. The included code will run locally with Python.
- Credentials
- noteThe only credential used is GITHUB_TOKEN (to avoid rate limits) which is proportionate to the stated purpose. The manifest (_meta.json) declares this env var; the top-level registry metadata does not — inconsistency to resolve. The script does not send the token to any other endpoint beyond including it in Authorization header to api.github.com.
- Persistence & Privilege
- okThe skill does not request elevated platform privileges or always:true. It persists only to a single per-user file (~/.github-stars-tracker.json) which is within the expected scope for a tracker tool.