ClawHub

Project Progress Tracker

v1.0.2

Automatically analyze Git commits and GitHub Issues to generate detailed project progress reports with charts and evaluations.

0· 109·0 current·0 all-time
by@zhaog100
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (git commit + GitHub Issues → reports) matches code and SKILL.md. The skill uses git and the gh CLI as documented; no unrelated binaries, services, or environment variables are requested.
Instruction Scope
SKILL.md instructs using local repo path and gh CLI for issues; code only runs git and gh via subprocess (no shell=True). It does not attempt to read unrelated system files or exfiltrate data to external endpoints beyond what gh performs with its own authentication.
Install Mechanism
No install spec is provided (instruction-only install), and included Python files are local. There are no downloads from remote URLs or archive extraction steps.
Credentials
The skill declares no required env vars and the code does not read secrets or unrelated environment variables. It expects the user to have git and gh installed; gh will use whatever GitHub credentials the user has configured (this is expected for GitHub access).
Persistence & Privilege
always is false and the skill does not request persistent/privileged system changes. It does not modify other skills or system-wide config; it only invokes git/gh for the given repo.
Assessment
This skill appears to do what it says: it analyzes a local Git repo (needs file access to the specified repo path) and calls the gh CLI to list issues (gh must be installed and authenticated). Before installing or running: 1) ensure you trust the repository path you pass (the tool will run git -C on it); 2) be aware gh will use your configured GitHub credentials — revoke or limit those if you don't want this skill to access private repos; 3) review the included Python files yourself if you want stronger assurance (the subprocess calls use argument lists, not a shell, which reduces command‑injection risk); 4) note minor metadata mismatches (package.json version vs registry version and ‘Source: unknown’ despite SKILL.md linking a GitHub repo) — not dangerous but worth verifying the origin if provenance matters.

Like a lobster shell, security has layers — review code before you run it.

latestvk972ffb415rgnx6f42qhscnz49832xgs

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments