中文 EN

Scan Report

Scan New Files

Trusted — Risk Score 5/100
Last scan:2 days ago Rescan
5 /100
github-growth-tracker
Track GitHub repo growth (stars, forks, issues, commits) with periodic digests and trend analysis
A straightforward GitHub repository growth tracker with no malicious behavior. All capabilities align with documentation; the only noted concern is plaintext token storage, which is explicitly disclosed in SKILL.md.
Skill Namegithub-growth-tracker
Duration25.9s
Enginepi
Safe to install
Skill is safe to use. If higher credential security is needed, always pass the GitHub token via the GITHUB_TOKEN environment variable instead of saving it to disk via --token.

Findings 1 items

Severity Finding Location
Low
GitHub token stored in plaintext on disk
The save_token() function writes the GitHub PAT to ~/.openclaw/credentials/github.json without encryption. SKILL.md acknowledges this with a warning recommending the GITHUB_TOKEN env var instead.
json.dump({"github_token": token}, f, indent=2)
→ No action required if GITHUB_TOKEN env var is used. This is a known limitation, clearly documented.
 scripts/github_tracker.py:65
ResourceDeclaredInferredStatusEvidence
Filesystem READ WRITE ✓ Aligned scripts/github_tracker.py:65 — open(CREDENTIALS_PATH, 'w'), open(CONFIG_PATH, 'w…
Network READ READ ✓ Aligned scripts/github_tracker.py:45 — urllib.request.urlopen to api.github.com only
Environment NONE READ ✓ Aligned scripts/github_tracker.py:57 — os.environ.get('GITHUB_TOKEN') for token resoluti…
Shell NONE NONE No subprocess, os.system, or shell execution found
Skill Invoke NONE NONE No nested skill invocation

File Tree

3 files · 20.3 KB · 601 lines
Python 1f · 433L Markdown 2f · 168L
├─ 📁 references
│ └─ 📝 formatting.md Markdown 63L · 1.8 KB
├─ 📁 scripts
│ └─ 🐍 github_tracker.py Python 433L · 15.1 KB
└─ 📝 SKILL.md Markdown 105L · 3.5 KB

Dependencies 1 items

PackageVersionSourceKnown VulnsNotes
stdlib-only N/A Python 3 standard library No Uses only urllib.request, json, os, datetime, argparse — no external packages

Security Positives

✓ No subprocess, os.system, or shell command execution — only urllib for HTTP
✓ No external network requests outside api.github.com
✓ No base64, eval, or obfuscated code
✓ No credential exfiltration or data transmission to third-party endpoints
✓ No iteration over os.environ for sensitive key harvesting
✓ No access to ~/.ssh, ~/.aws, or other sensitive credential paths
✓ No curl|bash or wget|sh remote script execution
✓ No hidden HTML comments or steganographic payloads
✓ All functionality is fully declared in SKILL.md
✓ No dependencies beyond Python standard library (urllib, json, argparse, os, datetime)