ClawKit Logo
ClawKitReliability Toolkit
Back to Registry
Official Verified developer tools Safety 5/5

clickhouse-github-forensics

Query GitHub event data via ClickHouse for supply chain investigations, actor profiling, and anomaly detection. Use when investigating GitHub-based attacks, tracking repository activity, analyzing actor behavior patterns, detecting tag/release tampering, or reconstructing incident timelines from public GitHub data. Triggers on GitHub supply chain attacks, repo compromise investigations, actor attribution, tag poisoning, or "query github events".

skill-install — Terminal

Install via CLI (Recommended)

clawhub install openclaw/skills/skills/1an0rmus/clickhouse-github-forensics
Or

What This Skill Does

The clickhouse-github-forensics skill allows OpenClaw to perform deep, programmatic analysis on GitHub activity at scale. By connecting to the public ClickHouse GitHub events dataset, this tool enables security researchers and developers to sift through over 10 billion historical and near-real-time events. It is designed specifically for threat hunting, incident response, and supply chain security investigations where manual investigation through the GitHub UI is inefficient or impossible due to data volume.

Installation

To integrate this skill into your environment, run the following installation command in your terminal: clawhub install openclaw/skills/skills/1an0rmus/clickhouse-github-forensics Ensure that you have sufficient permissions configured in your OpenClaw environment to execute external data queries.

Use Cases

  • Supply Chain Incident Response: Quickly reconstruct timelines of repository activity following reported account takeovers or malicious releases.
  • Actor Attribution: Profile suspicious GitHub accounts by analyzing their event patterns, frequency, and breadth of repository interactions to distinguish between automated bots and human actors.
  • Anomaly Detection: Identify unusual behavior in repository maintenance, such as unexpected tag deletions or unauthorized releases that might indicate tampering.
  • Forensic Reconstruction: Extract granular event logs (Push, Create, Delete, Release) for a specific organization or project during a specific window of time to identify the point of entry during an attack.

Example Prompts

  1. "Investigate the account 'suspicious-user-123' and generate a timeline of all their activity in the last 30 days to check for malicious repo modifications."
  2. "Show me all tag and release events for the 'facebook/react' repository that occurred between March 1st and March 5th to look for signs of supply chain tampering."
  3. "Analyze the activity logs for the 'my-org' organization over the past week and highlight any repositories with high volumes of 'DeleteEvent' activity."

Tips & Limitations

  • Freshness: Data is near real-time, typically trailing by a few minutes. Do not use for instantaneous live blocking.
  • Query Optimization: Because this dataset contains over 10 billion records, always include time-range filters (created_at) and specific repo_name or actor_login filters to avoid long-running queries or timeouts.
  • Read-Only Access: The skill queries public read-only endpoints; you cannot modify GitHub repository data or perform administrative actions via this skill. It is strictly for forensic observation and data gathering.
Read Full Documentation on GitHub

Metadata

Author@1an0rmus
Stars4473
Views0
Updated2026-05-01
View Author Profile
AI Skill Finder

Not sure this is the right skill?

Describe what you want to build — we'll match you to the best skill from 16,000+ options.

Find the right skill
Add to Configuration

Paste this into your clawhub.json to enable this plugin.

{
  "plugins": {
    "official-1an0rmus-clickhouse-github-forensics": {
      "enabled": true,
      "auto_update": true
    }
  }
}

Tags(AI)

#github#forensics#security#threat-hunting#clickhouse
Safety Score: 5/5

Flags: external-api