ClawHub
Back to skill

Security audit

Openclaw Github Assistant 2.0.1

Security checks across malware telemetry and agentic risk

Overview

This GitHub assistant is mostly coherent, but it can make live GitHub account changes with broad credentials and exposes an under-documented pull-request creation action.

Install only if you trust the publisher and are comfortable giving the assistant GitHub write access. Use the narrowest possible GitHub token, prefer public-only or fine-grained scopes when practical, and require your agent workflow to confirm the exact repository, visibility, issue body, or pull-request details before any write action.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (11)

Lp3

Medium
Category
MCP Least Privilege
Confidence
84% confidence
Finding
The skill requires environment/config secrets and clearly performs networked GitHub operations, yet it does not declare explicit permissions. This weakens the platform's trust and consent model because users cannot accurately see that the skill can access credentials and make outbound API calls before enabling it.

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The description says the skill is for querying and managing repositories and mentions listing repos, CI checks, issue creation, search, and activity, but the behavior also includes creating repositories and pull requests. Undisclosed write capabilities are dangerous because a user may invoke the skill expecting read-only or limited actions while the agent can perform impactful repository mutations.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The TypeScript API declarations expose state-changing capabilities to create repositories and pull requests, but the manifest reportedly omits those capabilities. That mismatch is dangerous because reviewers, policy engines, or users may authorize or trust the skill based on incomplete declared behavior, while the implementation can still perform higher-risk GitHub write actions using available credentials.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The exported skill description says the skill only 'Query and manage GitHub repositories', which is broad, but the more detailed action set includes sensitive write operations such as repository creation and pull-request creation. Understating or omitting these capabilities can mislead users, reviewers, or higher-level permission systems into granting access to a skill that can mutate GitHub state, increasing the risk of unauthorized or surprising actions.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README advertises issue creation and repository creation capabilities without clearly warning that these actions modify live GitHub resources. In an agent skill context, omitting explicit mutation warnings can lead users to invoke destructive or unintended actions through natural-language prompts, increasing the chance of accidental changes to repositories or workflow state.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The usage examples are broad and underspecified, such as 'Check CI status on my main project' and 'Create an issue about the bug,' without defining repository selection, branch scope, or confirmation rules. In an agent setting, vague triggers increase the risk of acting on the wrong repository or performing unintended write operations from ambiguous natural-language input.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
createRepo performs an authenticated POST to GitHub and can create new repositories using the caller's token, but there is no built-in confirmation, allowlist, or other guardrail visible here before executing the remote write. In an agent setting, ambiguous or prompt-injected instructions could cause unintended repository creation, leading to account clutter, information exposure through incorrectly configured repos, or abuse of the user's GitHub identity.

Missing User Warnings

Medium
Confidence
79% confidence
Finding
createIssue sends user-supplied title/body and arbitrary extra fields directly to GitHub with an authenticated POST, without any visible disclosure or confirmation step. In an autonomous agent workflow, this can be abused to file spam, leak sensitive prompt/context data into issues, or manipulate project workflows by setting labels/assignees/milestones through args.extra.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
createPullRequest performs an authenticated remote write that can open pull requests against a repository without any visible confirmation or policy enforcement. In an agent context this is more dangerous than issue creation because PRs can trigger CI, request reviews, influence release processes, and create trusted-looking change proposals under the user's identity.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
This file exposes state-changing GitHub actions like create_issue, create_repo, and create_pull_request without any visible confirmation, approval gate, or friction before execution. In an agent setting, that makes prompt-induced or mistaken invocations more dangerous because a single conversational misunderstanding could create public artifacts or alter repository workflows.

Session Persistence

Medium
Category
Rogue Agent
Content
You: Check CI status on my main project
Bot: [shows CI/CD status]

You: Create an issue about the bug
Bot: [creates the issue]
```
Confidence
71% confidence
Finding
Create an issue about the bug Bot: [creates the issue] ``` ## Setup ### 1. Generate GitHub Personal Access Token 1. Go to https://github.com/settings/tokens 2. Click "Generate new token (classic)"

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal