安全扫描
OpenClaw
可疑
high confidenceThe skill's code and instructions match the stated GitHub-analysis purpose, but it reads an undeclared GITHUB_TOKEN environment variable and writes downloaded repos to your ~/Downloads folder — an inconsistency that should be clarified before installing.
评估建议
The skill appears to do what it says (search GitHub, analyze repos, download zips). Before installing: 1) Note the developer/source is unknown and there's no homepage — consider trusting the author. 2) The scripts will use GITHUB_TOKEN if present but the skill metadata doesn't declare it — if you provide a token, prefer one with minimal scopes (a public read-only token is enough); do not expose a token with broad privileges. 3) Downloads are saved to ~/Downloads/github-analyzer/ and will store a...详细分析 ▾
✓ 用途与能力
Name/description align with included scripts (search_github.py, analyze_repo.py, download_repos.py). All required functionality (search, analyze, download) is implemented and there are no unrelated binaries or unexpected services referenced.
✓ 指令范围
SKILL.md instructions are narrowly scoped to calling the included Python scripts which use the GitHub API and optionally download repository zip files to ~/Downloads/github-analyzer/. The agent will run network calls to api.github.com and github.com and will write files to the user's Downloads directory — behavior that matches the stated feature set.
✓ 安装机制
No install spec; this is instruction-plus-scripts only. The included Python code uses only the standard library (urllib, json, etc.), so there is no additional install/download step that would pull arbitrary third-party code.
⚠ 凭证需求
SKILL.md and the scripts optionally use a GITHUB_TOKEN from the environment to increase rate limits, but the skill metadata declares no required environment variables. The runtime code reads GITHUB_TOKEN (and sends an Authorization header even when empty), which is an undeclared credential access and should be declared explicitly. The skill also creates/writes files under ~/Downloads/github-analyzer/, which is consistent with its purpose but is a filesystem write that users should be aware of.
✓ 持久化与权限
The skill is not always-enabled, does not request system-wide configuration changes, and does not modify other skills. It runs on-demand and writes only to its own download directory.
安装前注意事项
- Note the developer/source is unknown and there's no homepage — consider trusting the author.
- The scripts will use GITHUB_TOKEN if present but the skill metadata doesn't declare it — if you provide a token, prefer one with minimal scopes (a public read-only token is enough); do not expose a token with broad privileges.
- Downloads are saved to ~/Downloads/github-analyzer/ and will store arbitrary repository code; consider running the downloads in an isolated environment if you are concerned.
- Ask the publisher to add GITHUB_TOKEN to the skill metadata (requires.env) or explicitly document its use to remove the inconsistency. Overall the skill is coherent but this undisclosed env-var use is a noteworthy mismatch.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/3/10
● 无害
安装命令 点击复制
官方npx clawhub@latest install github-analyzer
镜像加速npx clawhub@latest install github-analyzer --registry https://cn.clawhub-mirror.com
技能文档
你能做什么
模式一:意图搜索
"我想做一个 XXX 项目,帮我找找 GitHub 上有没有相关开源项目"
模式二:直链分析
"帮我分析这几个项目:https://github.com/xxx/yyy https://github.com/aaa/bbb"
模式三:对比分析
"帮我对比这几个项目,哪个更适合我的需求"
工作流程
模式一:意图搜索模式
- 解析用户描述,提取 2-4 个核心关键词
- 调用 GitHub Search API 搜索相关仓库(按 stars 降序,取 Top 10)
- 过滤:排除 fork、归档、1年内未更新、stars < 50 的项目
- 对每个项目调用 GitHub API 获取详情
- AI 分析生成报告
- 询问是否需要下载代码包
模式二:直链分析模式
- 提取 URL 中的 owner/repo
- 调用 GitHub API 获取仓库详情、README、语言统计
- AI 分析生成报告
- 询问是否需要下载代码包
报告格式
每个项目输出:
## 项目名一句话描述
维度 详情 ⭐ Stars 12,345 🍴 Forks 1,234 🔤 语言 Python / TypeScript 📅 最近更新 2024-01-15 📜 License MIT
核心功能
- 功能点1
- 功能点2
- 功能点3
优点 ✅
- ...
缺点 / 注意事项 ⚠️
- ...
适用场景
...综合评分:8.5 / 10
评分依据:活跃度高(★★★★)、文档完善(★★★★)、社区活跃(★★★)、上手难度低(★★★★)
多个项目后附对比表格:
项目 Stars 语言 活跃度 文档 上手难度 综合分
下载功能
分析完成后询问用户是否下载:
- "需要下载评分最高的前3名代码包吗?"
- 用户确认后,执行
python3 SKILL_DIR/scripts/download_repos.py - 下载到
~/Downloads/github-analyzer/目录 - 打包为 zip,告知文件路径
工具调用
# 搜索 GitHub
exec: python3 SKILL_DIR/scripts/search_github.py "" [--limit 10]# 分析单个仓库
exec: python3 SKILL_DIR/scripts/analyze_repo.py ""
# 批量下载
exec: python3 SKILL_DIR/scripts/download_repos.py "" "" ...
注意事项
- GitHub API 未认证时限速 60次/小时,认证后 5000次/小时
- 如有
GITHUB_TOKEN环境变量则自动使用 - README 超长时只取前 3000 字符分析
- 项目极少时(<3个)告知用户并说明可能原因
数据来源:ClawHub ↗ · 中文优化:龙虾技能库
OpenClaw 技能定制 / 插件定制 / 私有工作流定制
免费技能或插件可能存在安全风险,如需更匹配、更安全的方案,建议联系付费定制