ClawHub

GitHub Cred

v1.0.0

Analyze GitHub user contribution quality. Evaluates owned repos, external contributions, output quality, and social influence. Triggers on "github cred", "an...

0· 518·0 current·0 all-time
by@zerone0x
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The stated purpose (analyzing GitHub contribution quality) matches the rubric and output format. However, the skill does not declare any GitHub API credential (GITHUB_TOKEN) or required tooling; while not strictly required, realistic collection of merged PR counts, merge rates, and cross-repo metrics usually needs API access or substantial scraping. The absence of declared credentials is notable but not definitive evidence of misbehavior.
!
Instruction Scope
SKILL.md is a scoring specification and output template but contains no concrete runtime instructions about where or how to fetch data (GitHub API vs. web scraping), what endpoints to call, or limits on what to collect. That vagueness grants the agent wide discretion to make network requests or gather extra context (potentially beyond what's needed), and it doesn't constrain reading of other data sources. The rubric references metrics (merged PRs, code ratio, merge rate) without defining computation methods or data scopes.
Install Mechanism
There is no install spec and no code files in the package (instruction-only), which is lower risk: nothing is written to disk by the bundle itself. README suggests cloning the author's GitHub repo as an install option, but the published skill contains no install script or downloaded artifacts.
Credentials
The skill requires no environment variables or credentials. That is minimal and reasonable in principle, but inconsistent with the scope of data collection it claims: GitHub API usage (to get PR merge info, commit sizes, follower counts at scale) typically needs a token to avoid rate limits. Because no credential is requested, the agent may either (a) perform unauthenticated, possibly brittle scraping, (b) repeatedly prompt for a token at runtime, or (c) attempt other network activity. No unrelated secrets are requested.
Persistence & Privilege
always is false and the skill does not request persistent system-level privileges or to modify other skills. It does not claim or appear to write system configuration or require elevated access.
What to consider before installing
This skill is an instruction-only scoring rubric with no code and no requested credentials, but it's also vague about how it will retrieve GitHub data. Before installing or using it: 1) Ask the author how the agent will access GitHub (API vs scraping) and whether it will request a GITHUB_TOKEN; prefer a workflow that uses a personal token with minimal scopes if needed. 2) Understand that the rubric is subjective and that the agent's implementation may collect more GitHub data than you expect (PR diffs, commit metadata, repo lists). 3) Test the skill on non-sensitive or public accounts first. 4) If you are uncomfortable with an agent making arbitrary network requests, decline installation or require the skill to explicitly document API calls and required env vars.

Like a lobster shell, security has layers — review code before you run it.

latestvk977ek8pdndcck462hy060kp71819j3e

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments