ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

MacClaw Copilot CLI

v1.0.2

GitHub Copilot CLI - AI 代码分析

0· 392·0 current·0 all-time
byZip.Wu@biuyx
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
Name/description (GitHub Copilot CLI — code analysis) aligns with the SKILL.md which instructs installing and running copilot. However, the runtime example requires a COPILOT_GITHUB_TOKEN read from ~/.copilot/github_token.txt but the skill metadata does not declare any required environment variables or credentials — an omission that reduces transparency.
!
Instruction Scope
The SKILL.md tells the agent to read a local credential file (cat ~/.copilot/github_token.txt) and set COPILOT_GITHUB_TOKEN before invoking copilot. That is practically necessary to authenticate the Copilot CLI, but it explicitly directs access to a user filesystem path containing sensitive credentials. The instructions do not provide safer alternatives (e.g., use a platform secret store or prompt the user).
Install Mechanism
No install spec is embedded in the skill (instruction-only). The README recommends using Homebrew (brew install copilot-cli), which is a standard package manager and an expected way to install the CLI — low risk compared to arbitrary downloads.
Credentials
Requiring a GitHub Copilot token is proportionate to the stated purpose. However, the skill fails to declare this credential in its metadata and instead hard-codes an example that reads a local token file. The lack of declared env vars reduces transparency and could lead to unintended credential exposure if an agent follows the example automatically.
Persistence & Privilege
The skill does not request persistent presence (always is false), does not include install actions in the bundle, and does not modify other skills' configurations. No elevated persistence privileges are requested.
What to consider before installing
This is an instruction-only Copilot CLI helper and is broadly consistent with its purpose, but it instructs the agent to read a local file (~/.copilot/github_token.txt) to obtain your COPILOT_GITHUB_TOKEN while not declaring that credential — treat this as a transparency issue. Before installing or using: (1) verify you trust the copilot-cli package from Homebrew and confirm its origin; (2) avoid storing tokens in plaintext files where possible — use the platform's secret store or an environment variable set by you at runtime; (3) if you must use a file-stored token, create a dedicated token with the minimal scopes needed and restrict file permissions; (4) prefer to supply the token via your agent platform's secret mechanism rather than letting an agent run cat on your home directory. If you want stronger assurance, ask the skill author to declare the required credential in metadata and to provide a safer authentication example (prompting the user or using a secret store) instead of reading a file path.

Like a lobster shell, security has layers — review code before you run it.

latestvk977wjj8vyqnpk58n83rcvh47n81wja8

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

MacClaw Copilot CLI

使用 GitHub Copilot CLI 分析代码。

安装

brew install copilot-cli

使用

COPILOT_GITHUB_TOKEN=$(cat ~/.copilot/github_token.txt) copilot -p "你的问题"

Files

1 total
Select a file
Select a file to preview.

Comments

Loading comments…