OpenClaw GitHub Assistant
ReviewAudited by ClawScan on May 10, 2026.
Overview
This looks like a real GitHub helper, but it can make GitHub account changes with a broad token and includes an undocumented pull-request creation action.
Install only if you are comfortable giving this assistant GitHub access. Prefer a fine-grained, least-privilege token; restrict it to specific repositories; and require explicit confirmation before creating repositories, issues, or pull requests.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent using this skill could open pull requests with your GitHub token, potentially creating public/account activity or triggering CI, even though that capability is not clearly advertised.
The code can create GitHub pull requests through a POST request. This action is exposed by index.js as create_pull_request but is not disclosed in the SKILL.md or README capability lists, making a mutating account action under-documented.
const url = `${GITHUB_API}/repos/${prOwner}/${repo}/pulls`; ... method: 'POST' ... body: JSON.stringify({ title, body: body || '', head, base })Document the pull-request action prominently or remove it, and require explicit user confirmation plus repository/owner scoping for all write actions.
If you provide a broadly scoped token, the assistant may be able to read and create content across private repositories depending on token permissions.
The skill asks for a GitHub PAT and documents that repo scope grants full control of private repositories. This is purpose-aligned for repository management, but it is high-impact authority.
`repo` — Full control of private repositories `public_repo` — Limited access to public repositories only
Use the least-privileged token possible, preferably a fine-grained PAT restricted to only the needed repositories and actions, and rotate it if exposed.
It is harder to verify that the reviewed package exactly matches a published source version.
The registry metadata reports version 2.0.1 while package.json reports 2.0.0, and the registry source/homepage are not provided. There is no remote install script, so this is a provenance/quality note rather than a direct execution concern.
"version": "2.0.0"
Align package and registry versions and provide a verified source repository/homepage.