← 返回 Skills 市场
163
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install clickhouse-github-forensics
功能描述
Query GitHub event data via ClickHouse for supply chain investigations, actor profiling, and anomaly detection. Use when investigating GitHub-based attacks,...
使用说明 (SKILL.md)
ClickHouse GitHub Forensics
Query 10+ billion GitHub events for security investigations.
Author: Rufio @ Permiso Security
Use Case: Built during the Trivy supply chain compromise investigation (March 2026)
Quick Start
curl -s "https://play.clickhouse.com/?user=play" \
--data "SELECT ... FROM github_events WHERE ... FORMAT PrettyCompact"
- Endpoint:
https://play.clickhouse.com/?user=play - Table:
github_events - Auth: None required (public read-only)
- Freshness: Near real-time (~minutes behind)
- Volume: 10+ billion events
Key Columns
| Column | Type | Use |
|---|---|---|
created_at |
DateTime | Event timestamp |
event_type |
Enum | PushEvent, CreateEvent, DeleteEvent, ReleaseEvent, etc. |
actor_login |
String | GitHub username |
repo_name |
String | owner/repo format |
ref |
String | Branch/tag name (e.g., refs/heads/main, 0.33.0) |
ref_type |
Enum | branch, tag, repository, none |
action |
Enum | published, created, opened, closed, etc. |
For full schema (29 columns): see references/schema.md
Common Investigation Patterns
1. Actor Timeline (Who did what, when?)
SELECT created_at, event_type, repo_name, ref, action
FROM github_events
WHERE actor_login = 'TARGET_ACCOUNT'
AND created_at >= '2026-03-01'
ORDER BY created_at
2. Repo Activity Window (What happened during incident?)
SELECT created_at, event_type, actor_login, ref, ref_type, action
FROM github_events
WHERE repo_name = 'owner/repo'
AND created_at >= 'START_TIME'
AND created_at \x3C= 'END_TIME'
ORDER BY created_at
3. Anomaly Detection (First-time repo access)
SELECT repo_name,
countIf(created_at \x3C 'ATTACK_DATE') as before,
countIf(created_at >= 'ATTACK_DATE') as during
FROM github_events
WHERE actor_login = 'SUSPECT_ACCOUNT'
AND created_at >= 'LOOKBACK_START'
GROUP BY repo_name
ORDER BY during DESC
4. Tag/Release Tampering
SELECT created_at, event_type, actor_login, ref, ref_type
FROM github_events
WHERE repo_name = 'owner/repo'
AND event_type IN ('CreateEvent', 'DeleteEvent', 'ReleaseEvent')
AND ref_type = 'tag'
ORDER BY created_at
5. Actor Profile (Is this account legitimate?)
SELECT toStartOfMonth(created_at) as month,
count() as events,
uniqExact(repo_name) as unique_repos
FROM github_events
WHERE actor_login = 'TARGET_ACCOUNT'
GROUP BY month
ORDER BY month
6. Org-Wide Activity (All repos in an org)
SELECT created_at, event_type, actor_login, repo_name, ref
FROM github_events
WHERE repo_name LIKE 'orgname/%'
AND created_at >= 'START_TIME'
ORDER BY created_at
7. New Accounts During Incident (Potential attacker alts)
SELECT actor_login, min(created_at) as first_ever, count() as events
FROM github_events
WHERE repo_name LIKE 'orgname/%'
GROUP BY actor_login
HAVING first_ever >= 'INCIDENT_START' AND first_ever \x3C= 'INCIDENT_END'
ORDER BY first_ever
8. Hourly Breakdown (Attack timeline)
SELECT toStartOfHour(created_at) as hour,
actor_login,
count() as events,
groupArray(distinct repo_name) as repos,
groupArray(distinct event_type) as types
FROM github_events
WHERE repo_name LIKE 'orgname/%'
AND created_at >= 'START_TIME'
GROUP BY hour, actor_login
ORDER BY hour
Event Types Reference
| Event | Significance |
|---|---|
PushEvent |
Code pushed to branch |
CreateEvent |
Branch/tag/repo created |
DeleteEvent |
Branch/tag deleted |
ReleaseEvent |
Release published/edited |
PullRequestEvent |
PR opened/closed/merged |
IssueCommentEvent |
Comment on issue |
ForkEvent |
Repo forked |
WatchEvent |
Repo starred |
Tips
- Output formats:
FORMAT PrettyCompactfor tables,FORMAT TabSeparatedfor parsing - macOS curl: Use
--datanot-dfor multi-line queries - Timestamps: Use UTC, format
YYYY-MM-DD HH:MM:SS - No payload JSON: Raw event payloads aren't available; use structured columns
- Bot accounts: Filter with
actor_login NOT IN ('github-actions[bot]', 'dependabot[bot]')
Security & Privacy
- Uses ClickHouse's public playground — all queries sent to
play.clickhouse.com - Data queried is GitHub's public event stream only
- No private repo data, credentials, or sensitive information is accessible
- Use responsibly: GitHub ToS prohibits scraping for spam or harassment
安全使用建议
This skill is low-risk: it only shows how to run read-only SQL queries against a public ClickHouse playground. Before installing/use, verify the endpoint (play.clickhouse.com) is the intended/data-provider you trust, avoid embedding any secrets or private repo identifiers in queries, and be mindful that queries you send to the public playground may be logged by the service. Also confirm the dataset provenance if you need guarantees about coverage or completeness. If you require private-repo or authenticated data, this skill does not provide that and would need explicit, justified credential requirements.
功能分析
Type: OpenClaw Skill
Name: clickhouse-github-forensics
Version: 1.0.0
The skill bundle provides a legitimate interface for querying public GitHub event data via the official ClickHouse playground (play.clickhouse.com) for security forensics. It contains well-documented SQL patterns for investigating supply chain attacks and actor behavior without any evidence of data exfiltration, malicious execution, or prompt injection (SKILL.md, README.md).
能力评估
Purpose & Capability
The name/description (ClickHouse queries over GitHub events) matches the content: SQL examples, endpoint, and schema for a public GitHub-events dataset. No unrelated credentials, binaries, or install steps are requested.
Instruction Scope
SKILL.md only instructs making SQL queries against the listed public ClickHouse playground endpoint and documents the schema and common query patterns. It does not instruct reading local files, accessing unrelated env vars, or exfiltrating data to other endpoints.
Install Mechanism
No install spec or code is included (instruction-only). Nothing will be downloaded or written to disk by an installer.
Credentials
No environment variables, credentials, or config paths are required. The skill operates against a public, read-only dataset — requested access is minimal and appropriate.
Persistence & Privilege
Skill is not always-enabled and does not request elevated persistence or modify other skills. Autonomous invocation is allowed by platform default but is not combined with other risky privileges here.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install clickhouse-github-forensics - 安装完成后,直接呼叫该 Skill 的名称或使用
/clickhouse-github-forensics触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release. Query GitHub events via ClickHouse for supply chain investigations. Built during the Trivy compromise investigation (March 2026).
元数据
常见问题
ClickHouse GitHub Forensics 是什么?
Query GitHub event data via ClickHouse for supply chain investigations, actor profiling, and anomaly detection. Use when investigating GitHub-based attacks,... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 163 次。
如何安装 ClickHouse GitHub Forensics?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install clickhouse-github-forensics」即可一键安装,无需额外配置。
ClickHouse GitHub Forensics 是免费的吗?
是的,ClickHouse GitHub Forensics 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
ClickHouse GitHub Forensics 支持哪些平台?
ClickHouse GitHub Forensics 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 ClickHouse GitHub Forensics?
由 1aN0rmus(@1an0rmus)开发并维护,当前版本 v1.0.0。
推荐 Skills