Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
GitHub Semantic Search
v1.0.0AI-Native GitHub Assistant powered by Embedder+Qdrant+LLM architecture. Index repos, semantic search across issues/PRs/code, proactive monitoring with Feishu...
⭐ 0· 40·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Functionality (indexing, semantic search, monitoring) matches the name/description and SKILL.md. However the package metadata declares no required binaries/env but the code requires the GitHub CLI, a local Ollama embeddings endpoint, Qdrant, and the openclaw CLI. Also the scripts hard-code Windows paths (GH_EXE and D:\ChatAI paths), which is an implementation detail that wasn't declared.
Instruction Scope
SKILL.md instructions cover index/search/monitor flows and list high-level prerequisites (gh, Ollama, Qdrant). The runtime scripts, however, also: write state to a specific local file (D:\ChatAI\OpenClaw\github_monitor_state.json), call a local embedding HTTP endpoint (http://localhost:11434), and invoke 'openclaw message send' to post Feishu alerts to a hard-coded user id. Those behaviors are consistent with monitoring but are not fully documented in the metadata and grant the skill the ability to transmit indexed content to an external chat channel.
Install Mechanism
Instruction-only with included scripts; there is no install spec that downloads or extracts remote archives. Risk from install mechanism is low. The runtime requires external services (Ollama, Qdrant) and system CLIs which are not installed by the skill.
Credentials
No required env vars are declared, but the code will use the user's GitHub credentials via the gh CLI, the user's Ollama/Qdrant instances, and the openclaw CLI to send Feishu messages. The monitor will transmit alert content (issue/PR text, potentially private data) to a hard-coded Feishu user via openclaw. The lack of declared credentials/permissions and the hard-coded external recipient make privilege/credential access proportionality unclear.
Persistence & Privilege
always:false and user-invocable are appropriate. The skill does create/modify a local state file under a hard-coded path, but it does not attempt to change other skills or global agent configuration.
What to consider before installing
This skill performs GitHub indexing, semantic search, and proactive monitoring and will use your local GitHub CLI auth and local Ollama/Qdrant services. Before installing or running it: (1) review and if needed change hard-coded paths (GH_EXE, OLLAMA_MODELS, STATE_FILE) so it matches your OS and does not write to unexpected locations; (2) understand that the monitor sends alerts via 'openclaw message send' to a hard-coded Feishu user id — check/replace that recipient and ensure you consent to sending repo content to Feishu; (3) confirm you want the skill to access your gh-authenticated account (it will read issues/PRs and CI data via the gh CLI, including private repo content if your gh session allows it); (4) run the scripts in an isolated environment or on a test repo first; and (5) ask the publisher to declare required binaries and any credentials explicitly (gh, Ollama running locally, Qdrant, openclaw) and to remove hard-coded IDs/paths for safer, cross-platform usage.Like a lobster shell, security has layers — review code before you run it.
githubvk979tghhz2hwveerag7qvxz3ts84j6qwlatestvk979tghhz2hwveerag7qvxz3ts84j6qwmonitoringvk979tghhz2hwveerag7qvxz3ts84j6qwproductivityvk979tghhz2hwveerag7qvxz3ts84j6qwqdrantvk979tghhz2hwveerag7qvxz3ts84j6qwvector-searchvk979tghhz2hwveerag7qvxz3ts84j6qw
License
MIT-0
Free to use, modify, and redistribute. No attribution required.