GitHub
PassAudited by ClawScan on May 7, 2026.
Overview
This is a disclosed GitHub API skill that needs Maton/GitHub credentials and can change repository data, but the visible instructions scope those actions and require user approval for writes.
Before installing, make sure you trust Maton with the GitHub accounts and repositories involved. Use least-privilege OAuth scopes, specify the correct connection when you have multiple accounts, and carefully review any write, delete, merge, transfer, or force-push action before approving it.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may access GitHub resources available to the connected account, including private repository data if the OAuth grant allows it.
The skill uses a Maton API key and a managed GitHub OAuth connection to make authenticated GitHub requests on the user's behalf.
compatibility: Requires network access and valid Maton API key ... Maton proxies requests to `api.github.com` and automatically injects your OAuth token.
Use a trusted Maton account, grant the minimum GitHub scopes needed, specify the intended connection ID when applicable, and revoke unused connections.
If misused or approved accidentally, the skill could modify or delete repository data, merge pull requests, or affect collaborators and branches.
The skill supports authenticated GitHub write and destructive actions, while also documenting approval and caution requirements.
**All write operations require explicit user approval.** ... **Irreversible / high-risk operations** ... Deleting repositories, branches, or releases ... Merging pull requests
Review every write, merge, delete, transfer, or force-push request carefully and confirm the exact repository, branch, issue, pull request, and account connection before approving.
Repository names, issue content, pull request data, and other GitHub API data may pass through Maton as part of normal use.
GitHub API traffic is routed through the Maton gateway rather than directly to GitHub, so request and response data flow through a third-party service.
https://api.maton.ai/github/{native-api-path} ... Maton proxies requests to `api.github.com`Install only if you trust Maton with the GitHub data involved in your tasks, and avoid sending unrelated sensitive repository data through the gateway.
Installing a global CLI adds trust in the external package source and whatever version the package manager resolves.
The documentation suggests installing an external global CLI package via npm or Homebrew; this is user-directed and purpose-aligned, but the artifact does not pin a version.
npm install -g @maton-ai/cli ... brew install maton-ai/cli/maton
Verify the Maton CLI package source before installing, consider pinning or auditing the version, and use the documented direct API method if you do not need the CLI.