Github_tracker
ReviewAudited by ClawScan on May 18, 2026.
Overview
The skill appears to track GitHub commits, but it asks for a broad GitHub token and is hardcoded to OpenPecha despite setup text implying the organization is configurable.
Before installing, verify that you really want to monitor OpenPecha or edit the code to use your intended organization and team. Use a fine-grained read-only GitHub token with the smallest possible repository access, remove or ignore bundled sample state, and only enable the daily cron/channel posting after reviewing exactly what it will publish.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The tracker may monitor or report on the wrong GitHub organization unless the user edits the code directly.
The code is fixed to a specific organization and team, while SKILL.md tells users to set GITHUB_ORG as their organization. That mismatch can mislead users about what account data will be queried.
ORG = "OpenPecha" TEAM_SLUG = "openpecha-dev-team"
Make the organization and team slug configurable, actually read GITHUB_ORG, document defaults clearly, and require users to confirm the target before scheduling automation.
A broad token could expose private repository metadata and team activity to the script and to any configured update channel, even though the visible purpose is only activity reporting.
The script asks for a broad GitHub token and uses it to enumerate all organization repositories, including private repositories when available. The registry metadata declares no credential or environment variable requirement.
"Set GITHUB_TOKEN in your environment (Personal Access Token with repo scope)." ... "type": "all" ... "public + private when the API exposes both"
Use a fine-grained, read-only GitHub token limited to the intended organization or repositories, declare the credential requirement in metadata, and avoid classic broad repo-scope tokens where possible.
If enabled, the tracker can keep posting team activity updates without a per-run approval.
The skill documents persistent daily execution and posting to a channel. This is purpose-aligned and user-directed, but it continues unattended once configured.
**Cron**: `30 4 * * *` ... **Action**: Run `python3 monitor.py` and post output to #dev-updates.
Only enable the cron job after confirming the target organization, token scope, output content, and destination channel; keep an easy way to disable it.
Local state or bundled examples may expose personal or internal GitHub activity details if shared, committed, or posted unintentionally.
The bundled sample state contains raw GitHub API response data, including commit author email, commit message, and repository metadata. This suggests state files may contain more detail than the final standings.
"search_responses": [ ... "email": "tibetdelek@gmail.com" ... "message": "synchronizing variables with user prompt" ... "repository": { ... } ]Remove real sample data before distribution, store only the minimum fields needed for standings, and keep any generated state files out of shared repositories or public channels.