Copilot CLI AI 代码分析
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone who can read that file may be able to use the token for Copilot requests under the user's GitHub account.
The skill requires a GitHub personal access token for Copilot requests and stores it in a local file.
创建 fine-grained token,权限:Copilot Requests ... Token 保存到 `~/.copilot/github_token.txt`
Use the narrowest fine-grained token, keep the file private with restrictive permissions, and rotate or revoke the token when it is no longer needed.
Project code, prompts, or related context may be sent to GitHub Copilot for analysis.
The skill discloses that Copilot CLI uses GitHub's API to analyze code, including code from projects not hosted on GitHub.
Copilot CLI 使用 GitHub Copilot API 分析代码 ... 代码存储位置不影响分析(可以是 GitLab、GitHub 等)
Use this only on repositories whose confidentiality and compliance rules allow Copilot/GitHub processing, and avoid including secrets in prompts or files.
If used carelessly, automatic mode could make unintended changes in the project workspace.
The skill documents an automatic execution mode; it is disclosed as needing permission, but it can reduce review before development actions.
自动执行(需要权限): `copilot --yolo -p "为这个功能编写单元测试"`
Use `--yolo` only with explicit user approval, preferably in version-controlled workspaces, and review diffs and test results before keeping changes.
The user is trusting the installed package and its update channel.
The skill relies on installing an external CLI through Homebrew; this is central to the purpose but should still be verified by the user.
brew install copilot-cli
Install only from official or trusted Homebrew sources and confirm the package identity before use.