← Back to Skills Marketplace
163
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install clickhouse-github-forensics
Description
Query GitHub event data via ClickHouse for supply chain investigations, actor profiling, and anomaly detection. Use when investigating GitHub-based attacks,...
README (SKILL.md)
ClickHouse GitHub Forensics
Query 10+ billion GitHub events for security investigations.
Author: Rufio @ Permiso Security
Use Case: Built during the Trivy supply chain compromise investigation (March 2026)
Quick Start
curl -s "https://play.clickhouse.com/?user=play" \
--data "SELECT ... FROM github_events WHERE ... FORMAT PrettyCompact"
- Endpoint:
https://play.clickhouse.com/?user=play - Table:
github_events - Auth: None required (public read-only)
- Freshness: Near real-time (~minutes behind)
- Volume: 10+ billion events
Key Columns
| Column | Type | Use |
|---|---|---|
created_at |
DateTime | Event timestamp |
event_type |
Enum | PushEvent, CreateEvent, DeleteEvent, ReleaseEvent, etc. |
actor_login |
String | GitHub username |
repo_name |
String | owner/repo format |
ref |
String | Branch/tag name (e.g., refs/heads/main, 0.33.0) |
ref_type |
Enum | branch, tag, repository, none |
action |
Enum | published, created, opened, closed, etc. |
For full schema (29 columns): see references/schema.md
Common Investigation Patterns
1. Actor Timeline (Who did what, when?)
SELECT created_at, event_type, repo_name, ref, action
FROM github_events
WHERE actor_login = 'TARGET_ACCOUNT'
AND created_at >= '2026-03-01'
ORDER BY created_at
2. Repo Activity Window (What happened during incident?)
SELECT created_at, event_type, actor_login, ref, ref_type, action
FROM github_events
WHERE repo_name = 'owner/repo'
AND created_at >= 'START_TIME'
AND created_at \x3C= 'END_TIME'
ORDER BY created_at
3. Anomaly Detection (First-time repo access)
SELECT repo_name,
countIf(created_at \x3C 'ATTACK_DATE') as before,
countIf(created_at >= 'ATTACK_DATE') as during
FROM github_events
WHERE actor_login = 'SUSPECT_ACCOUNT'
AND created_at >= 'LOOKBACK_START'
GROUP BY repo_name
ORDER BY during DESC
4. Tag/Release Tampering
SELECT created_at, event_type, actor_login, ref, ref_type
FROM github_events
WHERE repo_name = 'owner/repo'
AND event_type IN ('CreateEvent', 'DeleteEvent', 'ReleaseEvent')
AND ref_type = 'tag'
ORDER BY created_at
5. Actor Profile (Is this account legitimate?)
SELECT toStartOfMonth(created_at) as month,
count() as events,
uniqExact(repo_name) as unique_repos
FROM github_events
WHERE actor_login = 'TARGET_ACCOUNT'
GROUP BY month
ORDER BY month
6. Org-Wide Activity (All repos in an org)
SELECT created_at, event_type, actor_login, repo_name, ref
FROM github_events
WHERE repo_name LIKE 'orgname/%'
AND created_at >= 'START_TIME'
ORDER BY created_at
7. New Accounts During Incident (Potential attacker alts)
SELECT actor_login, min(created_at) as first_ever, count() as events
FROM github_events
WHERE repo_name LIKE 'orgname/%'
GROUP BY actor_login
HAVING first_ever >= 'INCIDENT_START' AND first_ever \x3C= 'INCIDENT_END'
ORDER BY first_ever
8. Hourly Breakdown (Attack timeline)
SELECT toStartOfHour(created_at) as hour,
actor_login,
count() as events,
groupArray(distinct repo_name) as repos,
groupArray(distinct event_type) as types
FROM github_events
WHERE repo_name LIKE 'orgname/%'
AND created_at >= 'START_TIME'
GROUP BY hour, actor_login
ORDER BY hour
Event Types Reference
| Event | Significance |
|---|---|
PushEvent |
Code pushed to branch |
CreateEvent |
Branch/tag/repo created |
DeleteEvent |
Branch/tag deleted |
ReleaseEvent |
Release published/edited |
PullRequestEvent |
PR opened/closed/merged |
IssueCommentEvent |
Comment on issue |
ForkEvent |
Repo forked |
WatchEvent |
Repo starred |
Tips
- Output formats:
FORMAT PrettyCompactfor tables,FORMAT TabSeparatedfor parsing - macOS curl: Use
--datanot-dfor multi-line queries - Timestamps: Use UTC, format
YYYY-MM-DD HH:MM:SS - No payload JSON: Raw event payloads aren't available; use structured columns
- Bot accounts: Filter with
actor_login NOT IN ('github-actions[bot]', 'dependabot[bot]')
Security & Privacy
- Uses ClickHouse's public playground — all queries sent to
play.clickhouse.com - Data queried is GitHub's public event stream only
- No private repo data, credentials, or sensitive information is accessible
- Use responsibly: GitHub ToS prohibits scraping for spam or harassment
Usage Guidance
This skill is low-risk: it only shows how to run read-only SQL queries against a public ClickHouse playground. Before installing/use, verify the endpoint (play.clickhouse.com) is the intended/data-provider you trust, avoid embedding any secrets or private repo identifiers in queries, and be mindful that queries you send to the public playground may be logged by the service. Also confirm the dataset provenance if you need guarantees about coverage or completeness. If you require private-repo or authenticated data, this skill does not provide that and would need explicit, justified credential requirements.
Capability Analysis
Type: OpenClaw Skill
Name: clickhouse-github-forensics
Version: 1.0.0
The skill bundle provides a legitimate interface for querying public GitHub event data via the official ClickHouse playground (play.clickhouse.com) for security forensics. It contains well-documented SQL patterns for investigating supply chain attacks and actor behavior without any evidence of data exfiltration, malicious execution, or prompt injection (SKILL.md, README.md).
Capability Assessment
Purpose & Capability
The name/description (ClickHouse queries over GitHub events) matches the content: SQL examples, endpoint, and schema for a public GitHub-events dataset. No unrelated credentials, binaries, or install steps are requested.
Instruction Scope
SKILL.md only instructs making SQL queries against the listed public ClickHouse playground endpoint and documents the schema and common query patterns. It does not instruct reading local files, accessing unrelated env vars, or exfiltrating data to other endpoints.
Install Mechanism
No install spec or code is included (instruction-only). Nothing will be downloaded or written to disk by an installer.
Credentials
No environment variables, credentials, or config paths are required. The skill operates against a public, read-only dataset — requested access is minimal and appropriate.
Persistence & Privilege
Skill is not always-enabled and does not request elevated persistence or modify other skills. Autonomous invocation is allowed by platform default but is not combined with other risky privileges here.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install clickhouse-github-forensics - After installation, invoke the skill by name or use
/clickhouse-github-forensics - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release. Query GitHub events via ClickHouse for supply chain investigations. Built during the Trivy compromise investigation (March 2026).
Metadata
Frequently Asked Questions
What is ClickHouse GitHub Forensics?
Query GitHub event data via ClickHouse for supply chain investigations, actor profiling, and anomaly detection. Use when investigating GitHub-based attacks,... It is an AI Agent Skill for Claude Code / OpenClaw, with 163 downloads so far.
How do I install ClickHouse GitHub Forensics?
Run "/install clickhouse-github-forensics" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is ClickHouse GitHub Forensics free?
Yes, ClickHouse GitHub Forensics is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does ClickHouse GitHub Forensics support?
ClickHouse GitHub Forensics is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created ClickHouse GitHub Forensics?
It is built and maintained by 1aN0rmus (@1an0rmus); the current version is v1.0.0.
More Skills