ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

GitHub Trending Monitor

v1.0.0

Monitor GitHub trending repositories by language and time range, receiving daily alerts via Telegram, Discord, or Email with pay-per-use pricing.

0· 398·1 current·1 all-time
by@zhdryanchang

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for zhdryanchang/github-trending-monitor.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "GitHub Trending Monitor" (zhdryanchang/github-trending-monitor) from ClawHub.
Skill page: https://clawhub.ai/zhdryanchang/github-trending-monitor
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install github-trending-monitor

ClawHub CLI

Package manager switcher

npx clawhub@latest install github-trending-monitor
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The code and documentation implement the advertised functionality (scraping GitHub trending pages, multi-channel notifications, scheduled reports, and pay-per-use via SkillPay). However the registry metadata claims no required environment variables while SKILL.md and the code clearly expect SKILLPAY_API_KEY (and optional TELEGRAM/ DISCORD/EMAIL creds). Additionally, skill.json contains an embedded 'apiKey' value — this is inconsistent with normal practice (API keys should be provided via environment) and is unnecessary for the skill's stated purpose.
Instruction Scope
Runtime instructions in SKILL.md and the source code are scoped to fetching trending repos, sending notifications, handling subscriptions, and talking to SkillPay. I found no instructions to read unrelated local files, read system-level credentials, or exfiltrate arbitrary files. The skill sends payment and usage data to api.skillpay.me (expected for pay-per-use).
Install Mechanism
No remote installers or URL downloads are used; dependencies are standard npm packages listed in package.json. There is no install spec in the registry (instruction-only), and running the project installs usual npm modules — low-to-moderate install risk.
!
Credentials
The environment variables the code uses (SKILLPAY_API_KEY, TELEGRAM_BOT_TOKEN, DISCORD_WEBHOOK_URL, EMAIL_* , optional GITHUB_TOKEN) are appropriate for the feature set. However a SkillPay API key is hardcoded in skill.json and is also present in the README's .env example — that is a sensitive secret baked into the package and not justified by the skill's functionality. Also the registry metadata listing no required env vars conflicts with the actual requirements, which is misleading.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or system-wide configurations. It runs an Express server, a scheduler, and optionally a Telegram bot, which are reasonable for its stated purpose. Autonomous invocation is enabled by default (normal for skills) but is not combined with other high-risk flags here.
Scan Findings in Context
[hardcoded-secrets.skillpay_api_key] unexpected: A SkillPay API key-like value ('sk_e390b52c...') is present in skill.json and duplicated in README.md/.env example. Embedding a provider API key in repository files is unnecessary and exposes credentials to anyone who downloads the skill. The code expects SKILLPAY_API_KEY via environment; the hardcoded key is inconsistent and risky.
[network-call.skillpay_api] expected: payment.js makes authenticated POST calls to https://api.skillpay.me/v1 for verification, payment creation, and usage logging. This network activity is expected for the advertised pay-per-use functionality.
What to consider before installing
This skill mostly does what it claims, but proceed cautiously. Key points to consider before installing or running it: (1) The package contains a hardcoded SkillPay API key in skill.json and README — treat that as a leaked secret. Do not use that key: remove it from the files and replace it with your own environment variable, and rotate the key if it is real. (2) The registry metadata omits required env vars while SKILL.md and the code require SKILLPAY_API_KEY (and optional TELEGRAM/DISCORD/EMAIL creds) — ensure you set only the credentials you control. (3) The skill contacts api.skillpay.me and will send usage/payment data there — verify the SkillPay provider and account. (4) Inspect and run the code in an isolated environment (local machine or sandbox) and avoid setting production credentials until you are satisfied. (5) If you plan to publish or use this skill publicly, remove any embedded secrets and update the manifest to accurately declare required environment variables. If you are uncertain whether the hardcoded key is valid, assume it is and rotate the credential in any linked SkillPay account.

Like a lobster shell, security has layers — review code before you run it.

latestvk970rvay6mfzappb62sdtrfbnn82cpw6
398downloads
0stars
1versions
Updated 2h ago
v1.0.0
MIT-0
@zhdryanchang
latest
Download

GitHub Trending Monitor

Monitor GitHub trending repositories and receive daily notifications.

Features

  • 🔥 Real-time monitoring of GitHub trending repositories
  • 🌍 Filter by programming language (JavaScript, Python, Go, Rust, etc.)
  • 📅 Time ranges: Daily, weekly, or monthly trends
  • 📱 Multi-channel notifications: Telegram, Discord, Email
  • ⏰ Scheduled daily reports
  • 💰 Pay-per-use: 0.001 USDT per call

API Endpoints

GET /trending

Fetch current GitHub trending repositories.

Query Parameters:

  • language (optional): Programming language filter
  • since (optional): Time range - daily, weekly, monthly

Example:

curl "http://localhost:3000/trending?language=javascript&since=daily"

Response:

{
  "success": true,
  "data": [
    {
      "name": "awesome-project",
      "author": "github-user",
      "description": "An awesome project",
      "language": "JavaScript",
      "stars": 1234,
      "forks": 567,
      "todayStars": 89,
      "url": "https://github.com/github-user/awesome-project"
    }
  ]
}

POST /notify

Trigger immediate notification with trending repositories.

Request:

{
  "userId": "user123",
  "transactionId": "tx456",
  "channels": {
    "telegram": { "chatId": "123456789" }
  },
  "language": "javascript",
  "since": "daily"
}

POST /subscribe

Subscribe to daily trending notifications.

Request:

{
  "userId": "user123",
  "channels": {
    "telegram": { "chatId": "123456789" }
  },
  "preferences": {
    "language": "javascript",
    "since": "daily"
  }
}

Configuration

Required environment variables:

  • SKILLPAY_API_KEY: SkillPay API key (required)
  • TELEGRAM_BOT_TOKEN: Telegram bot token (optional)
  • DISCORD_WEBHOOK_URL: Discord webhook URL (optional)
  • EMAIL_USER/EMAIL_PASS: SMTP credentials (optional)

Installation

npm install
npm start

Pricing

  • 0.001 USDT per API call
  • Automatic settlement via SkillPay.me

License

MIT

Comments

Loading comments...