GitHub MCP Server
WarnAudited by ClawScan on May 10, 2026.
Overview
This looks like a legitimate GitHub automation skill, but it combines broad GitHub write credentials with an unpinned archived external MCP server and limited guardrails for high-impact repository changes.
Install only if you need broad GitHub automation. Prefer a reviewed and pinned MCP server, create a fine-grained token for only the repositories and actions required, avoid classic full-repo tokens, and require manual confirmation before any write, merge, release, or bulk issue/PR operation.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent or MCP server could read and modify any repositories covered by the token, including private or organization repositories.
The skill tells users to provide a GitHub token and suggests a classic `repo` scope with full repository access, plus user/org reads. That is broad delegated authority and is not reflected in the registry credential declarations.
"GITHUB_PERSONAL_ACCESS_TOKEN": "ghp_your_token_here" ... "repo" - Full repository access ... "read:user" ... "read:org"
Use a fine-grained token limited to specific repositories and exact permissions, avoid classic full `repo` scope where possible, store the token securely, and revoke or rotate it after use.
If the package or one of its dependencies changes or is compromised, it could act with the token's GitHub permissions.
The install instructions use an unpinned npm/npx package and describe the server as archived/community-maintained. That external code is not present in the artifact set and would run with the configured GitHub token.
Official MCP Server (Archived - Community Maintained) ... npm install -g @modelcontextprotocol/server-github ... "command": "npx", "args": ["-y", "@modelcontextprotocol/server-github"]
Pin a reviewed version, verify package provenance, prefer a maintained trusted source, avoid automatic `npx -y` fetching for privileged tools, and review the MCP server before granting a token.
A mistaken prompt or autonomous tool choice could change code, labels, releases, or repository workflow state.
The documented operations include direct repository writes, branch merges, releases, and bulk issue changes, but the artifacts do not specify confirmation, dry-run, branch protection, or rollback requirements.
"Update the version in package.json to 2.0.0" ... "Merge 'develop' into 'main'" ... "Create a release v2.0.0" ... "Label all new issues with 'needs-triage'"
Require explicit user confirmation for write, merge, release, comment, and bulk actions; prefer PR-based changes; restrict protected branches; and keep GitHub audit logging enabled.
Private code, issues, pull requests, or organization metadata may be exposed to the agent session or model provider depending on how the client is configured.
The MCP server is intended to pass repository contents and GitHub data into an agent workflow. This is purpose-aligned, but private source code and issue/PR content may become part of the agent context.
Connect AI agents to GitHub ... Clone and navigate repositories ... Read and modify files ... Search code
Use this only with agents and model providers approved for private code, limit token access to necessary repositories, and review client logging and data-retention settings.