ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

GithubIssue

v1.0.0

Generate structured GitHub issue cards for the WeBuddhist team. Use this when a backend dev needs to document a new or changed endpoint, or when a frontend/a...

0· 96·0 current·0 all-time
by@tech-lo
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill claims to create and link GitHub issues and project items using `gh` commands, which legitimately requires the GitHub CLI and an authenticated GitHub token with appropriate scopes. However, the skill's metadata lists no required binaries or env vars. The missing declaration of `gh` (or equivalent) is an incoherence.
Instruction Scope
The SKILL.md instructions stay on-topic: parse inputs, generate an issue body, prompt the user, list repos/projects and create an issue and project item. Instructions do not request unrelated files or system data. They do, however, instruct running `gh` commands which will use the user's GitHub credentials and data — expected for this purpose.
Install Mechanism
This is instruction-only (no install spec, no code files). That limits disk installation risk. There are no downloads or external install mechanisms to review.
!
Credentials
The skill implicitly requires access to GitHub credentials (a `gh`-authenticated session or GITHUB_TOKEN) and specifically asks to check `gh auth status` and to refresh auth with `project` scope. Yet requires.env and primary credential are empty. The skill should declare the need for the GitHub CLI and clarify required credential scopes; the current lack of declared credentials is disproportionate to the metadata.
Persistence & Privilege
always is false and the skill does not request persistent system-wide changes. It will invoke `gh` commands when run, which is expected. Autonomous invocation is allowed by default but not, by itself, a new concern here.
What to consider before installing
This skill appears to do what it says (generate and create GitHub issue cards) but it omits important runtime requirements. Before installing or enabling it: - Confirm that the agent environment has the GitHub CLI (`gh`) available and up-to-date; the skill's metadata should list this but currently does not. - Be aware the skill will use your GitHub authentication (the `gh` session or a token) and may run `gh auth status`, `gh repo list`, `gh project list`, `gh issue create`, and `gh project item-add`. Ensure the token/session has only the minimum scopes (it explicitly needs the `project` scope) and that you trust the skill to act with those permissions. - Because the skill's source/homepage is unknown, consider testing it in a separate account or organization with limited privileges first. - If you plan to install it broadly, ask the publisher to update the skill metadata to declare required binaries (gh) and the required credential/scopes (e.g., GITHUB_TOKEN or gh-authenticated session with `project` scope) so you can make an informed permission decision.

Like a lobster shell, security has layers — review code before you run it.

latestvk974asv8mtyt3he998w4tam7058374kd

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments