GitHub MCP Server
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This GitHub automation skill is purpose-aligned, but it asks users to run an unpinned external MCP server with powerful GitHub write credentials and provides limited guardrails for high-impact repository actions.
Install only if you trust the MCP package and need broad GitHub automation. Prefer a pinned, reviewed server version, use a fine-grained token limited to specific repositories, and require human approval before file writes, merges, releases, or bulk issue/PR changes.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
65/65 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the token is over-scoped or the MCP server is misused, an agent could read or change private repositories, issues, pull requests, and organization-related data available to that token.
The skill asks for a GitHub personal access token and explicitly lists the classic `repo` scope, which can grant broad read/write access to private repositories. The registry metadata does not declare a required credential.
"GITHUB_PERSONAL_ACCESS_TOKEN": "ghp_your_token_here" ... Select scopes: - `repo` - Full repository access
Use a fine-grained GitHub token limited to specific repositories and permissions; avoid classic full `repo` tokens unless absolutely necessary, and document the credential requirement in metadata.
A mistaken or over-permissive agent action could alter source code, merge the wrong branch, publish a release, or make other persistent changes to important repositories.
The documented agent operations include direct repository mutation, branch merging, and release creation. These are legitimate GitHub workflows, but the provided instructions do not clearly constrain them with confirmation, repository allowlists, or rollback guidance.
Agent: "Update the version in package.json to 2.0.0" ... Agent: "Merge 'develop' into 'main'" ... Agent: "Create a release v2.0.0 with the latest changes"
Require explicit human confirmation for write, merge, release, and bulk-label operations; prefer PR-based workflows, dry runs, and repository allowlists.
The external MCP server will run locally and receive the GitHub token; a compromised, changed, or unexpected package version could access or mutate GitHub resources.
The install/run instructions use an unpinned external npm package via global install or `npx -y`, and the package is described as archived/community-maintained. The reviewed skill contains no code files or install spec for verifying that runtime.
Official MCP Server (Archived - Community Maintained) ... npm install -g @modelcontextprotocol/server-github ... "args": ["-y", "@modelcontextprotocol/server-github"]
Pin a reviewed package version, verify the package source and maintainer status, prefer a trusted official implementation, and avoid passing broad tokens to unreviewed runtime code.
Private repository contents, issues, PRs, and organization information may be exposed to the local MCP server and the AI workflow using it.
The MCP integration is intended to provide repository contents and GitHub account data to an AI agent. This is expected for the purpose, but it means private code and org metadata may enter the agent/MCP context.
Connect AI agents to GitHub ... Read File ... Search Code ... read user profile ... read organization data
Use the integration only with trusted agents and MCP servers, limit tokens to necessary repositories, and avoid connecting highly sensitive repositories unless data-handling boundaries are clear.