← 返回 Skills 市场
woaim65

GitHub Code Analyzer

作者 woaim65 · GitHub ↗ · v1.0.0 · MIT-0
cross-platform ⚠ suspicious
456
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install github-code-analyzer
功能描述
Clone and analyze GitHub project code quality using DeepSeek AI
使用说明 (SKILL.md)

GitHub Code Analyzer

A skill for analyzing GitHub repository code quality, bugs, and security issues using DeepSeek AI.

Features

  • Clone any public GitHub repository
  • Analyze project structure
  • Identify code bugs and security vulnerabilities
  • Provide improvement suggestions
  • Support multiple AI models

Usage

analyze https://github.com/owner/repo
analyze https://github.com/owner/repo --model deepseek

Parameters

Parameter Type Description Default
repo string GitHub repository URL required
model string AI model to use (deepseek, deepseek-coder) deepseek

Examples

# Analyze a repository
analyze https://github.com/Openwrt-Passwall/openwrt-passwall

# Use specific model
analyze https://github.com/facebook/react --model deepseek-coder

Supported Models

  • deepseek - General purpose analysis
  • deepseek-coder - Optimized for code analysis

Output

The analyzer provides:

  1. Project structure overview
  2. Code quality assessment
  3. Bug and security issue identification
  4. Improvement suggestions

Technical Details

  • Uses git clone with --depth 1 for fast cloning
  • Samples code files from multiple languages
  • Integrates with DeepSeek API for AI analysis
  • Falls back to structure-only analysis if API fails

License

MIT

安全使用建议
What to consider before installing: - This skill will clone the repository you give it and send sampled source files and a project structure to a remote API at ark.cn-beijing.volces.com. If the repo contains sensitive code, secrets, or private info, that data will be transmitted off-host. The SKILL.md does not warn about this. - The code contains a hard-coded API key constant. Embedded keys are dangerous and unexpected; ask the publisher why this key is present and insist on supplying credentials via environment variables instead. - The repo URL is interpolated directly into a shell command using child_process.exec, which can be exploited by specially crafted inputs (shell injection). Only pass trusted, well-formed GitHub URLs, or request the author replace exec with a safer method (e.g., execFile or a git library with argument escaping). - There is no install spec or declared dependencies; confirm the runtime environment will have Node and axios, or request a proper package manifest. - If you need this functionality but want to limit risk: run it in an isolated/sandboxed environment, use only public repositories you control, or request source changes (remove hard-coded key, add explicit env var for API key, sanitize inputs, and document data handling and retention). If you cannot verify the publisher or obtain a clean, dependency-declared package that removes the hard-coded key and addresses input sanitization and explicit data-sharing policies, treat this skill as risky and avoid installing it.
功能分析
Type: OpenClaw Skill Name: github-code-analyzer Version: 1.0.0 The skill contains a critical command injection vulnerability in index.js because the 'repoUrl' parameter is passed directly into a shell command ('git clone') without adequate sanitization. Additionally, the code includes a hardcoded API key ('ARK_API_KEY') for the Volcengine/DeepSeek API, which constitutes a credential leak. While these represent significant security risks (RCE and credential exposure), they appear to be unintentional flaws rather than evidence of malicious intent.
能力评估
Purpose & Capability
The skill's stated purpose—cloning GitHub repos and analyzing them with DeepSeek—is consistent with the implementation: it clones a repo, samples source files, and sends them to an external AI endpoint for analysis. However, the code contains a hard-coded API key constant (ARK_API_KEY) while the registry metadata declares no required credentials or env vars, which is an incoherence (either the key should be supplied externally or not embedded).
Instruction Scope
SKILL.md describes analyzing public GitHub repos, which aligns with behavior, but the implementation will: (1) run `git clone` by interpolating the repo URL into a shell command (exec) — this is vulnerable to shell injection if inputs are not sanitized; (2) read and POST sampled source code and project structure to a remote API (ark.cn-beijing.volces.com). The README does not warn that repository contents will be transmitted to that external endpoint, nor does it discuss private repo handling or data retention.
Install Mechanism
There is no install spec (instruction-only/inline code), yet the package includes index.js that depends on axios and Node runtime. The registry declares no required binaries or dependencies. This mismatch is a packaging/operational concern (it may fail at runtime if the agent environment lacks Node/axios) but not an immediate indication of malicious intent.
Credentials
The skill declares no required environment variables or credentials, yet the source contains a hard-coded ARK_API_KEY value and sends repository content to an external service. This is inconsistent and risky: secrets embedded in code are poor practice, and sending code to a remote service should be explicitly declared/justified (and should normally require the operator to supply an API key via env var).
Persistence & Privilege
The skill is not always-enabled and does not request system-wide persistence. It creates a temporary directory to clone repositories and attempts to clean it up. There is no evidence it modifies other skills or system configs.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install github-code-analyzer
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /github-code-analyzer 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release of GitHub Code Analyzer. - Analyze public GitHub repository code quality using DeepSeek AI - Detects bugs and security issues, provides improvement suggestions - Supports multiple models: deepseek, deepseek-coder - Fast cloning with git, samples code in various languages - Falls back to structure-only analysis if AI API is unavailable
元数据
Slug github-code-analyzer
版本 1.0.0
许可证 MIT-0
累计安装 0
当前安装数 0
历史版本数 1
常见问题

GitHub Code Analyzer 是什么?

Clone and analyze GitHub project code quality using DeepSeek AI. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 456 次。

如何安装 GitHub Code Analyzer?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install github-code-analyzer」即可一键安装,无需额外配置。

GitHub Code Analyzer 是免费的吗?

是的,GitHub Code Analyzer 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。

GitHub Code Analyzer 支持哪些平台?

GitHub Code Analyzer 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 GitHub Code Analyzer?

由 woaim65(@woaim65)开发并维护,当前版本 v1.0.0。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191113 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论