Openclaw Github Assistant 2.0.1
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The assistant could open pull requests on repositories the token can access, which can notify others or trigger repository workflows.
The executable skill exposes a pull-request creation action, but the user-facing SKILL.md capability table and README command reference do not list this action, so users may not realize this mutation authority is available.
create_pull_request: { description: 'Create a pull request', ... handler: createPullRequestHandler }Document the pull-request action clearly in SKILL.md and README, or remove it if it is not intended; require user confirmation before opening PRs.
A mistaken or overly broad agent action could create public/private repositories, issues, or pull requests on the user's GitHub account.
The skill performs direct GitHub write operations with the configured token. Similar POST handlers exist for issue and pull-request creation, but the artifacts do not define an explicit approval, preview, or rollback step for these account-mutating actions.
const response = await fetch(url, { method: 'POST', headers: getAuthHeaders(context), body: JSON.stringify({ name, description: description || '', private: isPrivate, auto_init }) });Add an explicit confirmation step for all POST/write actions, document defaults such as public-vs-private repository creation, and restrict write operations to clearly user-requested tasks.
If the token is misused or exposed, it could affect private repositories and account data within the token's scope.
The skill asks users to configure a GitHub Personal Access Token with a broad classic repo scope. This is purpose-aligned for private repository management, but it is high-impact credential access.
`repo` — Full control of private repositories
Prefer the narrowest possible GitHub token, use public_repo for public-only use, consider fine-grained PATs where possible, and store the token in a secure credential store.
Users have less assurance that the reviewed package matches an expected upstream release before granting GitHub access.
The registry provenance is weak, and the included artifacts show differing version identifiers such as package.json 2.0.0 and _meta/index 2.0.1. This does not prove malicious behavior, but it makes trust verification harder for a token-using skill.
Source: unknown; Homepage: none; Registry metadata Version: 1.0.0
Verify the publisher and source repository before installing, and align registry, package, and skill version metadata.