ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Github_tracker

Monitors GitHub organization commits daily, providing team activity updates and current standings on demand via /team-status command.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 37 · 0 current installs · 0 all-time installs
by@tenkus47
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The Python script implements a GitHub org/team commit monitor (consistent with the skill name). However the SKILL.md and registry metadata are inconsistent with the code: SKILL.md instructs setting GITHUB_ORG, but monitor.py hardcodes ORG = "OpenPecha" and TEAM_SLUG = "openpecha-dev-team". The registry lists no required env vars or primary credential, but the script requires GITHUB_TOKEN. The hardcoded org/team reduces usefulness for other orgs and is a mismatch with the declared instructions.
!
Instruction Scope
SKILL.md instructs setting GITHUB_TOKEN and GITHUB_ORG and to post script output to #dev-updates. The script only reads GITHUB_TOKEN (and ignores GITHUB_ORG). The doc's instruction to post outputs externally is an operational step that may leak commit metadata; the script also writes a local state.json with full search_responses (raw commit JSON) which may contain personal data (emails, URLs). The instructions are not fully aligned with the code and grant broad discretion for posting results.
Install Mechanism
There is no install spec (instruction-only + a code file), which is low risk. However the script depends on the Python requests library (not declared in SKILL.md or metadata), so the runtime environment must have requests installed or the script will fail. No external downloads or opaque installers are used.
!
Credentials
The script requires a GitHub personal access token (GITHUB_TOKEN) with scopes to read organization/team membership and search commits (not declared in the registry). SKILL.md also asks for GITHUB_ORG, but the code ignores it. Requiring a GitHub token is reasonable for the stated purpose, but omitting that from the declared requirements and hardcoding org/team is disproportionate and confusing. The token could expose organization data — ensure minimal scopes and secure storage.
Persistence & Privilege
The skill does not request elevated platform privileges or set always:true. It writes and reads a local state.json file in the working directory (normal for a monitor). It does not modify other skills or system config. Autonomous invocation is permitted by default (not an additional privilege) but should be considered when enabling automated runs that can post data externally.
What to consider before installing
This skill appears to implement a GitHub team commit monitor but has several issues to address before you should install or run it: - Required credentials: The script requires a GITHUB_TOKEN (Personal Access Token) but the registry metadata did not declare this. Do not provide a token until you confirm the scope needed. Prefer the least-privilege scopes (read-only org and repo access as appropriate) and store the token securely. - Hardcoded organization/team: monitor.py hardcodes ORG = "OpenPecha" and TEAM_SLUG = "openpecha-dev-team", while SKILL.md suggests using GITHUB_ORG. If you intend to monitor a different org/team, update the script or ensure the author parameterizes these values. - Undeclared dependency: The script uses the Python requests library but SKILL.md/metadata do not list it. Ensure your environment has requests installed (pip install requests) or update the skill to declare its dependency. - Local persistence and data exposure: The script writes state.json containing full commit search responses (emails, URLs, commit metadata). Review sample_state.json for sensitive data. If you will post outputs to a channel (SKILL.md suggests #dev-updates), confirm you are comfortable sharing that commit metadata publicly and remove or redact sensitive fields if needed. - Operational guidance: Before automating (cron), run the script manually with a minimal-scope token and inspect state.json and printed output. Consider parameterizing org/team via environment variables and minimizing stored data. If you don't trust the source, have a developer review or sanitize the code (replace hardcoded values, add explicit env var handling, and avoid persisting entire API responses). Given these inconsistencies (undeclared token requirement, hardcoded org/team, missing dependency, persisted commit payloads), treat the skill as suspicious until the author clarifies or you patch the script. If you want to proceed, verify token scope, install requests, and test in an isolated environment.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.1
Download zip
latestvk97805n8ptw4cd68jth5fzvk6983n4yb

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Org Commit Monitor

Setup

  1. Place monitor.py, and SKILL.md in the skill folder.
  2. get the list of member needed for this skill from the monitor.py
  3. Set Environment Variables:
    • GITHUB_TOKEN: Your Personal Access Token.
    • GITHUB_ORG: Your Organization name.

Automation

  • Cron: 30 4 * * * (Runs daily at 10:00 AM IST; adjust for UTC timezone offset)
  • Action: Run python3 monitor.py and post output to #dev-updates.

Commands

  • /team-status: Runs the script immediately to show current standings.

Files

3 total
Select a file
Select a file to preview.

Comments

Loading comments…