GitHub Token
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: github-token Version: 1.0.0 The OpenClaw skill 'github-token' is designed to interact with GitHub using Personal Access Tokens (PATs). The `SKILL.md` clearly outlines its purpose and commands, and includes an instruction for the agent to store the token securely in `TOOLS.md` and 'Never expose in logs or messages'. The `scripts/gh.py` implements standard GitHub API calls and Git CLI commands (`git clone`, `git push`, etc.) using the provided PAT. While PATs are sensitive and are injected into Git URLs for authentication in `cmd_clone` and `cmd_push`, this is a common and expected method for authenticating Git operations with PATs and is not indicative of malicious intent. There is no evidence of data exfiltration to unauthorized endpoints, malicious execution beyond the stated purpose, persistence mechanisms, or prompt injection attempts against the agent. The skill's behavior is aligned with its stated purpose.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the PAT leaks, anyone with it may be able to read or modify GitHub repositories according to the token scopes.
The helper embeds the user's PAT directly into a Git HTTPS URL and passes it as a command argument; clone URLs can be persisted in git remote configuration and command arguments or errors may expose the token.
url = f"https://{token}@github.com/{repo}.git" ... subprocess.run(["git", "clone", url, dest], capture_output=True, text=True)Do not embed PATs in URLs. Use a Git credential helper, askpass flow, or securely scoped environment secret, redact git errors, and clearly declare the credential and required scopes.
The token could be reused across later tasks or accidentally exposed if TOOLS.md is shared, copied, indexed, or committed.
TOOLS.md is persistent agent-readable context; storing a GitHub PAT there creates long-lived secret exposure without retention, deletion, file-permission, or reuse boundaries.
Agent stores token in TOOLS.md under `### GitHub` section. Never expose in logs or messages.
Avoid storing PATs in TOOLS.md. Prefer a secret manager or per-session environment variable, and document how to remove or rotate the token.
Unintended files, unrelated edits, or secrets in the working tree could be committed and pushed to GitHub.
The push command automatically stages every local change, commits, and pushes without showing a status/diff or requiring explicit confirmation for the exact files.
subprocess.run(["git", "add", "-A"]) ... subprocess.run(["git", "commit", "-m", message] ... ["git", "push", "-u", auth_url, branch])
Show `git status`/diff first, require explicit user confirmation, and allow users to choose specific paths instead of always running `git add -A`.
Users have less registry-level information to verify where the helper came from and whether required tools are available.
The package includes a Python GitHub helper and documents python3/git command use, but provenance and runtime dependency metadata are incomplete.
Source: unknown; Homepage: none; Required binaries (all must exist): none
Declare the project source/homepage and required binaries, especially git and python3, so users can verify provenance and prerequisites.