Evez Github Manager
ReviewAudited by ClawScan on May 12, 2026.
Overview
This GitHub manager is mostly purpose-aligned, but it advertises broad token-backed GitHub write and delete actions without clear approval or scope limits.
Install only if you are comfortable giving it GitHub access. Use a narrowly scoped token, avoid broad organization-level permissions, and require manual review before any merge, issue closure, branch deletion, release, asset upload, workflow, or multi-repo action.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If an agent follows these instructions with a powerful GitHub token or integration, it could make repository changes such as merges, closures, releases, or branch deletion without enough built-in guardrails.
These are high-impact GitHub operations that can change public/project state or affect multiple repositories, but the skill does not define confirmation requirements, scope limits, rollback behavior, or safe defaults.
- **PR Management**: List, review, merge, comment on PRs - **Issue Triage**: List, label, assign, close issues - **Branch Management**: List, create, delete branches - **Release Coordination**: Create releases, upload assets - **Multi-Repo Sync**: Apply changes across multiple repos
Require explicit user approval for every write/delete/release action, document allowed repositories and token scopes, and add dry-run or preview steps for multi-repo operations.
Using an over-privileged token could let the skill perform broader repository actions than intended.
A GitHub token or delegated integration is expected for a GitHub manager, but the registry metadata lists no required env vars or primary credential and the artifacts do not state minimal GitHub permission scopes.
Requires `GITHUB_TOKEN` env var. Get one at https://github.com/settings/tokens Or use Composio integration (already configured).
Use a least-privilege GitHub token, preferably limited to specific repositories and only the permissions needed for the task.
The script may fail until dependencies are installed manually, and users may need to decide where to obtain them.
The CLI imports the external Python package `click`, but the install specs declare no package requirements, so the runtime dependency is under-documented.
if __name__ == "__main__":
import clickDocument Python/package requirements and pin or otherwise specify trusted dependency sources.