v1.0.0

github-helper

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 6:21 AM.

Analysis

This GitHub helper is mostly purpose-aligned, but it can overwrite a persistent CLAUDE.md knowledge base and reuse repository README text as future agent context.

GuidanceBefore installing, confirm the repository root path, back up any existing CLAUDE.md, and check which GitHub account gh or MCP will use. Treat imported repository summaries as untrusted text, especially after cloning public repositories.

Findings (5)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityMediumConfidenceHighStatusConcern

scripts/update_kb.py

claude_md_path = Path(github_dir) / "CLAUDE.md" ... with open(claude_md_path, "w", encoding="utf-8") as file: file.write(content)

The helper replaces CLAUDE.md in the selected repository root. The documented workflow uses this updater for initialization and after clone, but the artifacts do not show backup, merge, or confirmation before overwriting.

User impactAn existing CLAUDE.md or local knowledge file could be replaced, causing loss of notes or changing persistent agent context.

RecommendationAsk for explicit confirmation before writing, show the exact target path, back up the existing file, and merge rather than blindly overwrite.

Agentic Supply Chain Vulnerabilities

SeverityInfoConfidenceHighStatusNote

metadata

Required binaries (all must exist): none ... No install spec — this is an instruction-only skill.

The skill metadata does not declare required tooling, while the SKILL.md workflows invoke python3, git, gh, and GitHub MCP. This is a dependency disclosure gap rather than evidence of hidden behavior.

User impactUsers may not realize the skill depends on local command-line tools and GitHub integrations until it is invoked.

RecommendationDeclare python3, git, gh, and any MCP dependency in metadata or installation guidance.

Rogue Agents

SeverityLowConfidenceHighStatusNote

SKILL.md

Update this SKILL.md path if needed.

The skill tells the agent to persistently modify its own instruction/configuration file for path changes. The intent is path configuration, but it should be user-approved because it changes future skill behavior.

User impactThe skill may retain a local path or altered behavior across future sessions.

RecommendationStore user-specific paths in a separate user config file, and require approval before editing SKILL.md.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityLowConfidenceHighStatusNote

SKILL.md

Use `gh` CLI first, then fall back to GitHub MCP ... gh issue list --repo <owner/repo> --state all --limit 20

The GitHub CLI and GitHub MCP may use the user's authenticated GitHub identity. This is expected for a GitHub helper, but it can access private repositories, issues, or PRs visible to that account.

User impactThe agent may query GitHub data available to your logged-in account.

RecommendationConfirm which GitHub account and scopes are active, and avoid using broader GitHub permissions than needed.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning

SeverityMediumConfidenceHighStatusConcern

scripts/scan_repos.py

content = file.read() ... for line in lines: if not line.startswith("#"): return line[:200]

The scanner extracts text from repository README files for summaries, which the workflow stores in CLAUDE.md for future lookup. README text from cloned repositories can be untrusted and is not marked or sanitized as untrusted data.

User impactA malicious or misleading repository README could place instructions or deceptive text into the persistent knowledge base that the agent later reads.

RecommendationTreat repository summaries strictly as data, escape or quote imported text, warn before importing newly cloned repos, and avoid using generated CLAUDE.md content as agent instructions.