← Back to Skills Marketplace
woaim65

GitHub Code Analyzer

by woaim65 · GitHub ↗ · v1.0.0 · MIT-0
cross-platform ⚠ suspicious
456
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install github-code-analyzer
Description
Clone and analyze GitHub project code quality using DeepSeek AI
README (SKILL.md)

GitHub Code Analyzer

A skill for analyzing GitHub repository code quality, bugs, and security issues using DeepSeek AI.

Features

  • Clone any public GitHub repository
  • Analyze project structure
  • Identify code bugs and security vulnerabilities
  • Provide improvement suggestions
  • Support multiple AI models

Usage

analyze https://github.com/owner/repo
analyze https://github.com/owner/repo --model deepseek

Parameters

Parameter Type Description Default
repo string GitHub repository URL required
model string AI model to use (deepseek, deepseek-coder) deepseek

Examples

# Analyze a repository
analyze https://github.com/Openwrt-Passwall/openwrt-passwall

# Use specific model
analyze https://github.com/facebook/react --model deepseek-coder

Supported Models

  • deepseek - General purpose analysis
  • deepseek-coder - Optimized for code analysis

Output

The analyzer provides:

  1. Project structure overview
  2. Code quality assessment
  3. Bug and security issue identification
  4. Improvement suggestions

Technical Details

  • Uses git clone with --depth 1 for fast cloning
  • Samples code files from multiple languages
  • Integrates with DeepSeek API for AI analysis
  • Falls back to structure-only analysis if API fails

License

MIT

Usage Guidance
What to consider before installing: - This skill will clone the repository you give it and send sampled source files and a project structure to a remote API at ark.cn-beijing.volces.com. If the repo contains sensitive code, secrets, or private info, that data will be transmitted off-host. The SKILL.md does not warn about this. - The code contains a hard-coded API key constant. Embedded keys are dangerous and unexpected; ask the publisher why this key is present and insist on supplying credentials via environment variables instead. - The repo URL is interpolated directly into a shell command using child_process.exec, which can be exploited by specially crafted inputs (shell injection). Only pass trusted, well-formed GitHub URLs, or request the author replace exec with a safer method (e.g., execFile or a git library with argument escaping). - There is no install spec or declared dependencies; confirm the runtime environment will have Node and axios, or request a proper package manifest. - If you need this functionality but want to limit risk: run it in an isolated/sandboxed environment, use only public repositories you control, or request source changes (remove hard-coded key, add explicit env var for API key, sanitize inputs, and document data handling and retention). If you cannot verify the publisher or obtain a clean, dependency-declared package that removes the hard-coded key and addresses input sanitization and explicit data-sharing policies, treat this skill as risky and avoid installing it.
Capability Analysis
Type: OpenClaw Skill Name: github-code-analyzer Version: 1.0.0 The skill contains a critical command injection vulnerability in index.js because the 'repoUrl' parameter is passed directly into a shell command ('git clone') without adequate sanitization. Additionally, the code includes a hardcoded API key ('ARK_API_KEY') for the Volcengine/DeepSeek API, which constitutes a credential leak. While these represent significant security risks (RCE and credential exposure), they appear to be unintentional flaws rather than evidence of malicious intent.
Capability Assessment
Purpose & Capability
The skill's stated purpose—cloning GitHub repos and analyzing them with DeepSeek—is consistent with the implementation: it clones a repo, samples source files, and sends them to an external AI endpoint for analysis. However, the code contains a hard-coded API key constant (ARK_API_KEY) while the registry metadata declares no required credentials or env vars, which is an incoherence (either the key should be supplied externally or not embedded).
Instruction Scope
SKILL.md describes analyzing public GitHub repos, which aligns with behavior, but the implementation will: (1) run `git clone` by interpolating the repo URL into a shell command (exec) — this is vulnerable to shell injection if inputs are not sanitized; (2) read and POST sampled source code and project structure to a remote API (ark.cn-beijing.volces.com). The README does not warn that repository contents will be transmitted to that external endpoint, nor does it discuss private repo handling or data retention.
Install Mechanism
There is no install spec (instruction-only/inline code), yet the package includes index.js that depends on axios and Node runtime. The registry declares no required binaries or dependencies. This mismatch is a packaging/operational concern (it may fail at runtime if the agent environment lacks Node/axios) but not an immediate indication of malicious intent.
Credentials
The skill declares no required environment variables or credentials, yet the source contains a hard-coded ARK_API_KEY value and sends repository content to an external service. This is inconsistent and risky: secrets embedded in code are poor practice, and sending code to a remote service should be explicitly declared/justified (and should normally require the operator to supply an API key via env var).
Persistence & Privilege
The skill is not always-enabled and does not request system-wide persistence. It creates a temporary directory to clone repositories and attempts to clean it up. There is no evidence it modifies other skills or system configs.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install github-code-analyzer
  3. After installation, invoke the skill by name or use /github-code-analyzer
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release of GitHub Code Analyzer. - Analyze public GitHub repository code quality using DeepSeek AI - Detects bugs and security issues, provides improvement suggestions - Supports multiple models: deepseek, deepseek-coder - Fast cloning with git, samples code in various languages - Falls back to structure-only analysis if AI API is unavailable
Metadata
Slug github-code-analyzer
Version 1.0.0
License MIT-0
All-time Installs 0
Active Installs 0
Total Versions 1
Frequently Asked Questions

What is GitHub Code Analyzer?

Clone and analyze GitHub project code quality using DeepSeek AI. It is an AI Agent Skill for Claude Code / OpenClaw, with 456 downloads so far.

How do I install GitHub Code Analyzer?

Run "/install github-code-analyzer" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is GitHub Code Analyzer free?

Yes, GitHub Code Analyzer is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does GitHub Code Analyzer support?

GitHub Code Analyzer is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created GitHub Code Analyzer?

It is built and maintained by woaim65 (@woaim65); the current version is v1.0.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191113 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments