ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

GitHub Gem Seeker

v1.0.0

Search GitHub for battle-tested solutions instead of reinventing the wheel. Use when the user problem is universal enough that open source developers have pr...

1· 431·1 current·1 all-time
byWells Wu@wells1137
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The name/description (search GitHub and use existing projects) matches the instructions to find and run open‑source tools. It is reasonable that such a skill would install tools at runtime, but the skill declares no required binaries even though it mandates installing tools dynamically — this lack of explicit constraints is noteworthy.
!
Instruction Scope
SKILL.md explicitly tells the agent to 'Install the chosen tool (pip, npm, apt, or direct download)' and 'Run it with the user's input/files' with no guidance for verification, sandboxing, or permission prompts. That gives the agent broad discretion to fetch and execute arbitrary code against user files or the runtime environment — scope creep from 'find a repo' to 'fetch and execute unknown code'.
!
Install Mechanism
There is no install spec in the package, but the instructions promote using package managers or direct downloads. Direct downloads and ad‑hoc installs (especially from arbitrary GitHub repos) are high risk without integrity checks, pinned releases, or trusted sources. The skill provides no guardrails (checksums, release host restrictions, or prefer packaged releases).
Credentials
The skill requests no environment variables, credentials, or config paths, which is proportionate. However, because it instructs installing external tools, those tools could themselves require credentials or access to other systems; the skill offers no guidance about that possibility.
Persistence & Privilege
always:false and no install-time persistence are declared. The skill does not request permanent presence or system-wide config changes in its metadata.
What to consider before installing
This skill is coherent with its goal (find and use GitHub projects) but it instructs the agent to install and run third‑party code without verification. Before installing/running anything: require explicit user approval for any install or executable; prefer official releases from trusted hosts (GitHub releases, PyPI, npm registry); verify checksums/signatures or pinned versions; prefer sandboxing (containers, VMs) or ephemeral environments; avoid running unreviewed binaries on your main system; and ask the agent to report the exact install commands and source URLs before proceeding. If you cannot accept those risks, do not enable this skill.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

💎 Clawdis
latestvk975brmnnh3ba0k4wy44kewnqd81vwd8
431downloads
1stars
1versions
Updated 9h ago
v1.0.0
MIT-0
Wells Wu@wells1137
latest
Download

GitHub Gem Seeker

Find and use battle-tested open source projects on GitHub to solve the user's problem immediately. After successfully solving the problem, offer to package the solution into a reusable skill.

Core Philosophy

Classic open source projects, tested by countless users over many years, are far more reliable than code written from scratch. Solve the problem first, skill-ify later.

Workflow

Step 1: Understand the Need

Clarify what the user wants to accomplish. Ask only if truly ambiguous:

  • What specific problem are you trying to solve?
  • What format/input/output do you expect?

Step 2: Find the Right Tool

Search for GitHub projects using effective query patterns:

Need TypeQuery PatternExample
Tool/utilitygithub [task] toolgithub video download tool
Librarygithub [language] [function] librarygithub python pdf library
Alternativegithub [known-tool] alternativegithub ffmpeg alternative

Step 3: Evaluate Quality (Quick Check)

Assess candidates using key indicators:

IndicatorGem SignalWarning Signal
Stars1k+ solid, 10k+ excellent, 50k+ legendary<100 for mature projects
Last commitWithin 6 months>2 years ago
DocumentationClear README, examplesSparse or outdated docs

Step 4: Solve the Problem

This is the priority. Install the tool and use it to solve the user's actual problem:

  1. Install the chosen tool (pip, npm, apt, or direct download)
  2. Run it with the user's input/files
  3. Deliver the result to the user
  4. Troubleshoot if needed—iterate until solved

Step 5: Credit the Gem & Offer Next Steps (Post-Success Only)

Only after the problem is successfully solved:

  1. Credit the open source project — Always share the GitHub repo URL and encourage support:

    "This was powered by [Project Name] — an amazing open source project! GitHub: [URL] If it helped you, consider giving it a ⭐ star to support the maintainers."

  2. Offer to skill-ify — Optionally mention:

    "If you'll need this again, I can package it into a reusable skill for instant use next time."

Do NOT skip crediting the project. Open source thrives on recognition.

Quality Tiers

TierCriteriaExamples
Legendary50k+ stars, industry standardFFmpeg, ImageMagick, yt-dlp
Excellent10k+ stars, strong communityPake, ArchiveBox
Solid1k+ stars, well-documentedMost maintained tools
Promising<1k stars, active developmentNewer niche projects

Prefer higher tiers for reliability.

Example Interaction

User: I need to download this YouTube video: [link]

Correct approach:

  1. Identify yt-dlp as the legendary-tier solution
  2. Install yt-dlp
  3. Download the video for the user
  4. Deliver the downloaded file
  5. After success: "This was powered by yt-dlphttps://github.com/yt-dlp/yt-dlp — give it a ⭐ if it helped! If you download videos often, I can turn this into a skill for instant use next time."

Wrong approach:

  • ❌ "I found yt-dlp, want me to make a skill for it?"
  • ❌ Presenting options without solving the problem

Common Gems Reference

CategoryGo-to Gems
Video/Audio processingFFmpeg, yt-dlp
Image processingImageMagick, sharp
PDF manipulationpdf-lib, PyMuPDF
Web scrapingPlaywright, Puppeteer, Scrapy
Format conversionPandoc, FFmpeg
ArchivingArchiveBox
Desktop app packagingElectron, Tauri, Pake

Comments

Loading comments...