Read GitHub
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the helper may download or execute the current npm version of mcp-remote, so behavior depends partly on an external package not included in the skill.
The script invokes the mcp-remote npm package through npx at runtime. This is central to the MCP workflow, but the package/version is not pinned in the provided artifacts.
subprocess.Popen(["npx", "-y", "mcp-remote", mcp_url], ...)
Declare the npx dependency clearly and prefer a pinned or reviewed mcp-remote version before use.
Queries and target repository/URL information may be visible to gitmcp.io, even though no credentials or private local files are requested by the skill.
The skill relies on an external MCP service for repo documentation/code access, so repo names, search queries, and requested URLs are sent to that provider.
Access GitHub repository documentation and code via the gitmcp.io MCP service.
Use it for public or non-sensitive repository lookups unless you are comfortable sending the query and URL details to gitmcp.io.
A user or agent could invoke remote MCP tools outside the common documented workflow if the server exposes them.
The direct-call option allows arbitrary tool names and JSON arguments for the remote MCP server. The documented tools are read-focused, but this is broader than the narrower fetch/search commands.
Call any MCP tool directly: python3 scripts/gitmcp.py call owner/repo tool_name '{"arg": "value"}'Prefer the listed fetch/search commands, and review tool names and arguments before using the direct-call escape hatch.