ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

GitHub Chat Assistant (Whatsapp)

v1.0.0

Manage a single GitHub repository via chat for non-technical requesters—after they share the repo URL and a temporary personal token, pull status, summarize who did what and when, and create/follow up on issues directly through the GitHub API.

0· 861·0 current·0 all-time
by@iamkalio
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (chat-driven GitHub repo management) aligns with the instructions: it uses the GitHub REST API and requires a Personal Access Token (PAT) supplied by the requester. There are no unrelated credential or binary requirements in the manifest. However, the SKILL.md also contains guidance for persistent automation (env files, scripts, cron) which goes beyond the real-time chat use-case described and is optional but notable.
!
Instruction Scope
Instructions are largely focused on GitHub API calls (appropriate), but there are several problematic or inconsistent pieces: (1) the doc says 'Never save tokens to disk' yet later recommends storing long‑lived secrets in a `.env.github-chat-ops` file for daily automation — contradictory and risky; (2) it recommends removing shell history with `history -d $((HISTCMD-1))`, which touches local shell state and could be abused or misleading for non-technical users; (3) the cheatsheet shows a whole-tree snapshot example that uses `$(git rev-parse HEAD)` — this requires a local git repo and contradicts the 'no clone' approach, so it's inaccurate; (4) it recommends caching under /tmp for sessions and also suggests persistent env files — mixing ephemeral and persistent storage without clear guidance.
Install Mechanism
There is no install spec and no code files — this is instruction-only, which minimizes supply-chain risk. Nothing will be automatically downloaded or written to disk by the skill itself.
Credentials
The skill does not declare required env vars in the manifest and instead asks users (during chat) to paste a PAT with the appropriate repo scope. Requesting a PAT is proportionate to the described functionality. The guidance to create and store a long‑lived `GITHUB_CHAT_OPS_TOKEN` for cron runs increases the sensitivity and persistence of credentials beyond the core live-chat use; that extra guidance is not justified by the immediate chat use-case and is a potential risk if followed.
Persistence & Privilege
The skill does not request permanent platform presence (always: false) and has no installable code that would run autonomously. However, the documentation explicitly encourages creating scripts, env files, and cron jobs outside the skill — this would create persistence in the user's environment if they follow it. That persistence is not enforced by the skill manifest but is recommended in the instructions, so it increases the operational risk if implemented by a user.
What to consider before installing
This skill appears to do what it says (use a GitHub PAT to call repository endpoints), but there are inconsistencies and risky recommendations you should consider before using it: - Avoid sending long-lived or overly-permissive tokens in chat. Prefer short-lived or least-privilege PATs (only the repo access you need) or, better, GitHub Apps with scoped permissions where possible. - The SKILL.md says both 'never save tokens to disk' and also suggests storing a `.env.github-chat-ops` file for cron automation — those conflict. If you follow the automation guidance, be aware that storing tokens in files or cron jobs creates persistent credentials that can be leaked. - The cheat sheet includes a command to delete shell history (`history -d $((HISTCMD-1))`). That touches local shell state and can be used to hide activity; consider whether you trust the operator and avoid executing history-manipulation commands unless you understand them. - The 'whole-tree snapshot' example references `git rev-parse HEAD`, which only works in a cloned repo — it's inconsistent with the 'no clone' approach. If you need a tree SHA, derive it from the repository metadata (default branch commit) via the API instead. - Because this is instruction-only, installing the skill doesn't itself create persistence or exfiltrate data. The real risk comes from following its automation suggestions or pasting tokens into chat. If you use the skill, require ephemeral tokens, confirm you control their revocation, and manually revoke the PAT after the session. If you are uncomfortable sharing tokens in chat, decline to use this skill or require an alternative integration (GitHub App or a workflow that doesn't require sharing credentials directly). If you proceed, follow the principle of least privilege, keep tokens short-lived, and avoid storing them in plaintext files or cron jobs.

Like a lobster shell, security has layers — review code before you run it.

latestvk977yr357jxfjh4haz8pxv2fm580vfxv

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments