Read GitHub
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: read-github Version: 1.0.1 The skill is classified as suspicious due to the broad capabilities exposed by the `scripts/gitmcp.py` script. Specifically, the `fetch-url` command allows fetching content from arbitrary URLs provided by the user, which could lead to Server-Side Request Forgery (SSRF) or access to internal network resources if the `gitmcp.io` service does not adequately restrict target URLs. Additionally, the `call` command allows invoking any tool on the `gitmcp.io` service with arbitrary JSON arguments, providing a wide attack surface if the service exposes powerful or unintended functionalities. While the `SKILL.md` instructions are benign, the underlying script provides these risky capabilities.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the helper may download or execute the current npm version of mcp-remote, so behavior depends partly on an external package not included in the skill.
The script invokes the mcp-remote npm package through npx at runtime. This is central to the MCP workflow, but the package/version is not pinned in the provided artifacts.
subprocess.Popen(["npx", "-y", "mcp-remote", mcp_url], ...)
Declare the npx dependency clearly and prefer a pinned or reviewed mcp-remote version before use.
Queries and target repository/URL information may be visible to gitmcp.io, even though no credentials or private local files are requested by the skill.
The skill relies on an external MCP service for repo documentation/code access, so repo names, search queries, and requested URLs are sent to that provider.
Access GitHub repository documentation and code via the gitmcp.io MCP service.
Use it for public or non-sensitive repository lookups unless you are comfortable sending the query and URL details to gitmcp.io.
A user or agent could invoke remote MCP tools outside the common documented workflow if the server exposes them.
The direct-call option allows arbitrary tool names and JSON arguments for the remote MCP server. The documented tools are read-focused, but this is broader than the narrower fetch/search commands.
Call any MCP tool directly: python3 scripts/gitmcp.py call owner/repo tool_name '{"arg": "value"}'Prefer the listed fetch/search commands, and review tool names and arguments before using the direct-call escape hatch.