ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Gh Standup

v1.0.0

Generate a GitHub standup summary covering the period since the last standup. Use when the user asks for a standup, work summary, weekly update, or "what did...

0· 315·2 current·2 all-time
by@zerone0x

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for zerone0x/gh-standup.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Gh Standup" (zerone0x/gh-standup) from ClawHub.
Skill page: https://clawhub.ai/zerone0x/gh-standup
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Canonical install target

openclaw skills install zerone0x/gh-standup

ClawHub CLI

Package manager switcher

npx clawhub@latest install gh-standup
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill's stated purpose (generate a GitHub standup) matches the implementation: the script uses the GitHub CLI ('gh') and GitHub API data. However, the registry metadata lists no required binaries or credentials while both SKILL.md and scripts/standup.py require an installed, authenticated 'gh' CLI. The omission in metadata is an incoherence that could mislead users about what is needed to run the skill.
Instruction Scope
SKILL.md and the script limit their actions to GitHub data via the 'gh' CLI (fetching repos, PRs, and commits for specified repos/orgs and authors) and printing a summary. The runtime instructions do not direct the agent to read unrelated files, exfiltrate data to arbitrary endpoints, or modify other skills/config. The only external interaction is via the user's authenticated GitHub CLI.
Install Mechanism
There is no install spec (instruction-only skill with an included Python script). No remote downloads or package installs are performed by the skill. This is low-risk from an install mechanism standpoint, but the presence of an executable script without corresponding install metadata contributed to the metadata inconsistency noted above.
!
Credentials
The skill declares no required environment variables or primary credential, yet it depends on the user's authenticated 'gh' CLI session (which typically relies on stored GitHub credentials or GH_TOKEN). That dependency is proportionate to the task, but it is not declared in the metadata, so users may not realize it uses their GitHub authentication context.
Persistence & Privilege
The skill does not request persistent presence (always is false) and does not modify other skills or system-wide configuration. It only reads GitHub via the 'gh' CLI and prints output.
What to consider before installing
This skill appears to do what it says (build a standup summary from GitHub), but the registry metadata is incomplete: the script and SKILL.md require the 'gh' CLI and an authenticated GitHub session even though the skill lists no required binaries or credentials. Before installing or running it: - Verify you have the 'gh' CLI installed and authenticated (run 'gh auth status'). - Review the included scripts/standup.py yourself (it is simple and readable) and run it locally rather than granting any automated agent broad access. - Use least-privilege GitHub credentials (read-only scopes if possible) and prefer passing an explicit --author and --repo to limit the scope instead of --org. - If you plan to enable this as a skill, ask the publisher to update metadata to declare the 'gh' binary dependency and note that it uses your GitHub auth context. - Run the script in an isolated environment or CI runner you control if you have concerns about exposing org-wide repo lists. These steps will reduce risk and surface the missing metadata inconsistency before you rely on the skill.

Like a lobster shell, security has layers — review code before you run it.

latestvk97142qqhfzn93qqntbjqxakqs82gk5y
315downloads
0stars
1versions
Updated 21h ago
v1.0.0
MIT-0
@zerone0x
latest
Download

gh-standup

Generate a standup summary from GitHub activity since the last standup day.

Quick Start

# Single repo, weekly Friday standup
python3 scripts/standup.py --repo ORG/REPO --standup-days Friday

# Multiple standup days
python3 scripts/standup.py --repo ORG/REPO --standup-days Monday,Thursday

# Whole org, specific author
python3 scripts/standup.py --org MY_ORG --standup-days Friday --author username

Parameters

FlagRequiredDefaultDescription
--repoone ofSingle repo (org/repo)
--orgone ofEntire GitHub org (all repos)
--standup-daysnoFridayComma-separated weekdays
--authorno@meGitHub username or @me

Workflow

  1. Run scripts/standup.py with the user's repo/org and standup days
  2. The script calculates the most recent past standup day and uses it as since
  3. Output: merged PRs + direct commits (PR commits de-duped) since that date
  4. Post the output as the standup message

Requirements

  • gh CLI authenticated (gh auth status)
  • Python 3.10+

Notes

  • --org fetches all repos in the org; can be slow for large orgs — prefer --repo when possible
  • PRs are matched by merge date; commits by author date
  • Commits that belong to a merged PR are excluded from "Direct Commits" to avoid duplication

Comments

Loading comments...