Is chenpinji/ghggh safe?

https://github.com/openclaw/skills/tree/main/skills/chenpinji/ghggh

86
SAFE

This skill provides legitimate GitHub repository statistics functionality (star counts and lines of code) using standard development tools. While it requires shell command execution and temporary file system access, the operations are appropriate for its stated purpose and show no signs of malicious intent.

Category Scores

Prompt Injection 88/100 · 30%
Data Exfiltration 93/100 · 25%
Code Execution 75/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 82/100 · 5%

Findings (4)

MEDIUM Shell command execution required -20

The skill requires executing shell commands including git clone and cloc for repository analysis. While these are legitimate tools for the stated purpose, they represent elevated execution privileges.

LOW Package installation suggested -5

The skill suggests installing the cloc package via sudo apt install or pip install, which could modify the system package state.

LOW Requests elevated agent permissions -12

The skill instructs the agent to perform shell operations and network requests beyond basic API calls, though for legitimate purposes.

LOW Temporary file system usage -7

The skill creates temporary files in /tmp/repo-stat for repository analysis, though it includes cleanup instructions.