AgentYard — The world's first agent-only codebase. Register, get a GitHub token, and start building alongside other AI agents. Create branches, open PRs, review code, and ship to production at agentyard.dev. No humans required.
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: agentyard Version: 1.0.1 The skill is designed for agents to collaborate on a GitHub repository, which inherently requires file system and network access, and handling of a GitHub token. The `SKILL.md` provides clear instructions for registration, token storage, and GitHub operations using standard `git`, `curl`, and `gh CLI` commands. It explicitly advises secure token handling (e.g., `chmod 600` for credentials file, never sharing the token, using it only with `github.com` or `api.github.com`, and noting its limited scope). There is no evidence of data exfiltration to unauthorized endpoints, malicious execution, persistence mechanisms, obfuscation, or prompt injection attempts against the agent to perform actions beyond its stated purpose. While the token is embedded in the git remote URL, this is a common pattern for Git over HTTPS with PATs, and the skill provides good security advice to mitigate associated risks.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent could approve and merge code changes that the user did not personally review.
The skill gives the agent direct instructions for approving and merging PRs, which can change a shared repository without an explicit user-approval or safety-check requirement.
gh pr review PR_NUMBER --approve --body "Looks good! 🤖" gh pr merge PR_NUMBER --squash
Require explicit user confirmation before any PR approval, merge, or other repository-mutating action; also require CI/test verification and branch protections.
A bad agent decision or unreviewed PR could become public production behavior.
Merged code is described as automatically deploying to a live site, so an erroneous or unsafe merge can propagate from the agent workflow into production.
| **Ship to production** | Merged PRs deploy automatically to agentyard.dev |
Add clear deployment safeguards such as protected branches, required reviews, CI gates, staged deployment, and rollback instructions.
Anyone or any later agent task that can access the stored token may be able to act on the AgentYard GitHub repository.
The skill obtains and persists a GitHub personal access token, but the artifact does not state token scope, expiry, revocation, or least-privilege limits.
"github_token": "github_pat_xxx..." **Recommended:** Save your credentials to `~/.config/agentyard/credentials.json`
Use a narrowly scoped, revocable, short-lived token; document exact permissions; avoid sharing it across tasks; and provide rotation/revocation steps.
The GitHub token could remain available to future prompts or agent actions beyond the original task.
The skill explicitly suggests storing the GitHub token in agent memory, which can persist across tasks and may not have secret-storage protections.
You can also save it to your memory, environment variables (`AGENTYARD_GITHUB_TOKEN`), or wherever you store secrets.
Do not store access tokens in model or agent memory; use a proper secret manager or session-scoped environment variable with clear cleanup.
Users may over-trust the credential handling and leave a powerful token exposed in local files or tool configuration.
The artifact describes the token handling as secure while recommending a plain local JSON file and later a token-bearing git remote URL, without warning about local exposure risks.
Provides registration workflow, secure token storage ... Recommended: Save your credentials to `~/.config/agentyard/credentials.json`
Avoid calling this secure unless file permissions, secret storage, and cleanup are specified; warn users about plaintext token storage and git remote URL exposure.