GitHub Passwordless Setup
WarnAudited by ClawScan on May 10, 2026.
Overview
This skill matches its GitHub authentication purpose, but it asks for powerful long-lived GitHub access and includes risky setup and deletion commands that users should review carefully.
Install only if you trust the publisher and have reviewed the exact script you will run. Do not pipe the remote script directly to bash; use a pinned, inspected copy. Create a fine-grained, expiring PAT with minimal scopes, avoid delete/admin scopes unless necessary, and do not run the repository deletion test unless it targets a known disposable test repository.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the remote branch changes or is compromised, installing the skill could run code different from the reviewed files.
The recommended quick start executes a remote script from an unpinned branch directly in the shell. The registry source is unknown and there is no install spec tying that remote script to the reviewed artifact.
curl -fsSL https://raw.githubusercontent.com/happydog-intj/github-passwordless-setup/master/setup.sh | bash
Avoid `curl | bash`; download and inspect a pinned commit or use the reviewed local script, and publish a clear install spec/source URL.
A compromised token could read or modify private repositories, workflows, repositories, or organizations depending on the scopes granted.
The skill recommends a long-lived GitHub PAT with broad private-repository, workflow, repository-deletion, and organization-administration privileges.
Expiration: `No expiration` ... Select scopes: `repo` (all sub-scopes), `workflow`, `delete_repo`, `admin:org`
Use a fine-grained token with the minimum scopes needed, set an expiration date, and avoid `delete_repo` or `admin:org` unless absolutely required.
If the list order is unexpected or the account context differs, a real repository could be deleted without another confirmation prompt.
The verification example suppresses confirmation with `--yes` and deletes whichever repository appears first in `gh repo list`, not the exact generated test repository name.
gh repo create test-$(date +%s) --public && gh repo delete --yes $(gh repo list --limit 1 --json name --jq '.[0].name')
Delete only the exact test repository name captured at creation time, require user confirmation, and avoid granting `delete_repo` for routine verification.
Anyone who gains access to the local private key could use the GitHub SSH access associated with it.
The automated setup generates an SSH private key with an empty passphrase, which is consistent with passwordless use but creates a persistent unencrypted credential on disk.
ssh-keygen -t ed25519 -C "$USER_EMAIL" -f ~/.ssh/id_ed25519 -N ""
Prefer a passphrase-protected SSH key or ensure the machine and `~/.ssh` permissions are well protected before adding the key to GitHub.