GitHub Automation Pro
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: github-automation-pro Version: 1.0.0 This skill bundle is classified as suspicious due to several critical indicators. Firstly, the `SKILL.md` explicitly details an off-platform monetization scheme involving direct USDT (TRC-20) payments to a specific wallet address and license key distribution via Telegram, bypassing standard platform review and payment systems. Secondly, the `SKILL.md` and `package.json` openly declare, and the `.js` files confirm, heavy code obfuscation, with `SKILL.md` even prohibiting reverse engineering, which severely hinders transparency and security analysis. Lastly, the `package.json` includes highly suspicious dependencies like `@supabase/supabase-js` (a backend client) and `puppeteer` (a headless browser), which are unusual for a GitHub API automation skill and provide capabilities for potential data exfiltration, unauthorized web interaction, or command-and-control (C2) communication beyond the stated purpose. While direct malicious execution is not confirmed without deobfuscation, the combination of off-platform sales, intentional obfuscation, and powerful, unusual dependencies strongly suggests an intent to hide potentially harmful or unauthorized functionality.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A broad GitHub token could let the skill modify repositories, issues, pull request metadata, or releases according to the token's permissions.
The skill requires a GitHub token and can enable all repository automation features, but the registry metadata declares no primary credential or environment variable requirement and the docs do not specify minimum token scopes.
.setGitHubToken('ghp_your_token_here')
.setDefaultOwner('your-org')
.setDefaultRepo('your-repo')
.enableAllFeatures()Use a fine-grained GitHub token limited to specific repositories and actions, and require the skill metadata and docs to declare the credential and minimum scopes clearly.
If invoked incorrectly, the skill could post issues, change issue state or labels, or publish releases in a repository.
The documented actions include creating and updating GitHub content and creating releases; these are purpose-aligned but high-impact mutations, and the artifacts do not define a confirmation or approval step.
建立 Issue(支援標籤、指派) ... 更新 Issue(標題、內容、狀態、標籤) ... 建立 Release
Require explicit user confirmation for write actions, especially release creation, and bind each run to a user-approved owner/repo and action.
Installing the package may pull in more third-party code than expected for a GitHub API helper, and obfuscation makes it difficult to verify what will run with the GitHub token.
Octokit fits the GitHub purpose, but Supabase, node-fetch, and Puppeteer are not explained by the documentation, versions are range-pinned with carets, and the package declares obfuscation, making credential-handling behavior harder to audit.
"dependencies": { "@octokit/rest": "^20.0.2", "@supabase/supabase-js": "^2.95.3", "node-fetch": "^3.3.2", "puppeteer": "^24.37.2" }, ... "obfuscation": trueRemove or justify unrelated dependencies, pin versions or provide a lockfile, publish readable source, and ensure the packaged entrypoint matches the reviewed files.
Users may overtrust the token handling and install the skill without realizing the code is difficult to audit and the token is necessarily used for remote GitHub API calls.
The documentation makes strong safety claims, including memory encryption and that the token never leaves the local environment, while the provided implementation shows token-based GitHub API use and obfuscated code rather than clear evidence supporting those claims.
- Token 絕不會離開本地環境 - 所有 API 呼叫使用 HTTPS - 敏感資料記憶體加密 **注意**:核心程式碼已混淆處理
Replace broad safety claims with precise documentation of where the token is sent, how it is stored, and what protections are actually implemented.