ClawHub

Idea Coach

v0.2.0

AI-powered idea/problem/challenge manager with GitHub integration. Captures, categorizes, reviews, and helps ship ideas to repos.

1· 2.2k·6 current·6 all-time
by@udiedrichsen
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's name/description (idea manager with GitHub integration) matches the code and SKILL.md: it captures ideas, stores them under ~/.openclaw/idea-coach, and performs GitHub actions via the gh CLI. However the registry metadata claims no required binaries or env vars, while both README.md and SKILL.md (and the code) expect Python and the gh CLI to be present and authenticated. That mismatch is a configuration/information inconsistency.
Instruction Scope
The SKILL.md instructions and the included code focus on local idea CRUD, review scheduling, and GitHub operations. The runtime behavior described and visible in the code is limited to reading/writing local files under the user's home directory and calling the gh CLI. There are references in docs to optional cron/heartbeat and 'Memory-Integration', but the behaviors shown do not instruct the agent to read unrelated system files or exfiltrate data to unknown endpoints.
Install Mechanism
No install spec is provided (instruction-only skill with code included). No remote downloads or installer scripts are present. The code is included in the package; nothing in the manifest indicates fetching arbitrary external archives or running installers from untrusted URLs.
!
Credentials
The package declares no required environment variables or primary credential, yet relies on the gh CLI for GitHub operations. gh uses locally stored authentication (gh auth / GITHUB_TOKEN or oauth) — the skill will operate with whatever GitHub permissions the user's gh session provides. Because the manifest doesn't declare this necessary binary or the credential implications, a user may unknowingly grant a skill the ability to create repos, issues, or modify repositories via their existing gh authentication. That omission is a proportionality/clarity concern.
Persistence & Privilege
The skill stores data under ~/.openclaw/idea-coach and does not request to be always-enabled. It does not appear to modify other skills or system-wide agent configuration. Described cron/heartbeat behavior is optional/documented rather than being automatically installed in the provided code.
What to consider before installing
This skill largely does what it says — local idea storage and GitHub integration — but the package metadata omits that it needs Python and the gh CLI and that gh will use whatever GitHub credentials are configured on your machine. Before installing or running it: 1) inspect scripts/coach.py yourself (it’s bundled and readable) to confirm there are no hidden actions; 2) ensure you trust the repository owner because gh commands will run with your gh auth and can create repos/issues; 3) run it under a limited account or sandbox if you want to limit GitHub scope; 4) back up ~/.openclaw/idea-coach/ideas.json before use; and 5) ask the publisher to update the manifest to declare the gh dependency and document exactly which gh operations will be performed (create repo, push, issue creation, etc.). If you want higher assurance, request a complete, untruncated copy of the script to review the remainder of the GitHub functions (repo creation/sync) before using.

Like a lobster shell, security has layers — review code before you run it.

latestvk9766h9d15212082jbef9y678d80dp6y

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments