Find and rank GitHub developers by location, technology, and role. Search for candidates, get scored profiles with tech stack matches, activity, and contact info.
Security Analysis
medium confidenceThe skill appears to implement a legitimate GitHub-candidate search that calls a third‑party API, but there are small inconsistencies (missing declared dependencies, duplicate/variant docs) and it relies on an external, unverified API for contact data — review before use.
The skill's name, description, scripts, and SKILL.md consistently describe a GitHub developer discovery service that queries https://api.githunt.ai. That purpose aligns with the network calls in the scripts. However the package metadata declares no required binaries while the included shell scripts require curl, jq, sed, and (in docs/examples) gunzip/grep — a mild inconsistency.
Runtime instructions limit actions to building JSON payloads and calling the githunt.ai API (streaming or non‑streaming). They do not instruct reading arbitrary local files or environment variables beyond an optional GITHUNT_API_URL override. Minor inconsistencies exist between variant SKILL.md files (streaming vs non‑streaming endpoints, free preview size 10 vs 15) but nothing directs the agent to exfiltrate unrelated system data.
No install spec is provided (instruction-only + scripts). No external archives or third‑party package installs are performed by the skill itself, so nothing is written to disk by an installer step beyond the included files.
The skill declares no required credentials or environment variables. The scripts do accept an optional GITHUNT_API_URL env var to override the API endpoint, which is reasonable, but the skill does not declare required runtime tools (curl, jq, gunzip). There are no requests for unrelated secrets or system config paths.
The skill does not request persistently elevated privileges; always is false and it does not modify other skills or system settings. It only makes outbound API calls when invoked.
Guidance
What to consider before installing: - This skill calls an external, third‑party API (https://api.githunt.ai). If you use it the agent will send search queries (locations, skills, etc.) to that service — verify you trust the operator and their privacy/terms (especially when retrieving contact info). - The included scripts expect command‑line tools (curl, jq, sed and optionally gunzip/grep) even though the metadata lists none. Ensure those binaries are available in your agent runtime or the scripts will fail. - The skill requires no credentials, but it may return contact emails/URLs scraped from public profiles; check legal and privacy implications (GDPR, anti‑spam) before using contact data for outreach. - You can mitigate risk by testing with non-sensitive queries first, or by setting GITHUNT_API_URL to a proxy you control to inspect traffic. - The repository/website listed (githunt.ai / github.com/mordka/githunt) appears in metadata — verify the source and maintainers if you plan to pay for full reports or rely on it in production. Overall: the skill is not obviously malicious, but the mismatched dependency declarations, external API reliance, and contact‑info use justify caution and a quick manual vet (verify domain/repo, confirm required CLI tools, and test with safe queries) before enabling in production.
Latest Release
v1.0.0
Initial public release of githunt. - Search and rank GitHub developers by location, tech stack, and role. - Streaming API returns real-time candidate results, with top 10 shown for free. - Supports searching by popular roles (frontend, backend, devops, AI, etc.) and custom skills. - Get scored, detailed profiles including contact info, activity, and tech stack matches. - Option to purchase full reports for all matched developers and full contact details. - Clear usage examples and tips for sourcing technical talent efficiently.
Popular Skills
Published by @mordka on ClawHub
