copilot-cli

v1.0.0

Reference knowledge base for GitHub Copilot CLI. Use when answering questions about Copilot CLI features, commands, configuration, plugins, hooks, skills, MC...

⭐ 1· 30·0 current·0 all-time

bySagar Awale@awalesagar

MIT-0

Download zip

LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.

Security Scan

VirusTotal

Benign

View report →

OpenClaw

Benign

high confidence

✓

Purpose & Capability

The name/description (Copilot CLI reference) matches the bundled files: usage, troubleshooting, automation, customization, hooks, integrations, research, etc. The skill requests no binaries, env vars, or config paths and contains only documentation and examples appropriate for this purpose.

ℹ

Instruction Scope

SKILL.md and referenced docs contain executable examples and operational guidance (e.g., curl install script, npm/brew/winget install commands, examples using COPILOT_GITHUB_TOKEN, editing ~/.copilot/config.json, --allow-all/--yolo/--no-ask-user, autopilot, hooks that run shell scripts, MCP servers and ACP server examples). That scope is expected for a reference, but following these examples can grant broad, unattended permissions or execute arbitrary shell commands — the skill itself does not request those permissions, it merely documents them. Users/agents should not run example install scripts or enable unattended modes without verifying sources and intent.

✓

Install Mechanism

No install spec or code is included; this is an instruction-only skill. Nothing will be written to disk by installing the skill package itself.

✓

Credentials

The skill declares no required env vars or credentials. The docs mention common Copilot env vars and tokens (COPILOT_GITHUB_TOKEN, GH_TOKEN, COPILOT_HOME, etc.) because they are relevant to using Copilot CLI; however the skill does not request or store any secrets. This is proportionate for documentation.

✓

Persistence & Privilege

always:false and disable-model-invocation:false (default) — typical for user-invocable docs. The skill does not request persistent installation hooks or modify other skills' configs.

Assessment

This skill is a local reference manual for GitHub Copilot CLI and is internally consistent with that purpose. It contains many runnable examples (install scripts, edits to ~/.copilot/config.json, flags like --allow-all / --yolo / --no-ask-user, autopilot, and hook examples that run arbitrary shell scripts). The skill itself does not request credentials, but following the examples can be risky: 1) don't run install scripts (e.g., curl | bash) or unknown URLs without verifying the host; 2) prefer fine-grained PATs and store them as repository secrets for CI rather than plaintext env vars; 3) avoid enabling --allow-all/--yolo/--no-ask-user or autopilot in unattended environments unless you understand and accept the risk; 4) audit any hook scripts and plugin sources before installing (hooks can execute arbitrary shell commands and may log or transmit data); 5) treat MCP/ACP server endpoints and plugin sources as untrusted until validated. Because this is documentation-only, it does not itself exfiltrate data, but acting on the documented commands can create security exposure — verify official upstream sources and minimal privileges before executing.

Like a lobster shell, security has layers — review code before you run it.

latestvk97bbf22vn8sc2bm2asptns5m5847fq7

License

MIT-0

Free to use, modify, and redistribute. No attribution required.

Termshttps://spdx.org/licenses/MIT-0.html

copilot-cli

License

Comments