gh-issues
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This skill is a powerful GitHub issue-fixing automator, but it needs review because it can use your GitHub token for autonomous repository changes and may expose credentials during setup.
Install only if you are comfortable granting this skill a least-privilege GitHub token and allowing it to automate repository work. Start with --dry-run, avoid --yes, --watch, and --cron until you have narrow filters and review controls, and ensure tokens are not printed or stored in logs.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your GitHub token could be exposed in command output or logs, and the token may allow repository reads, pushes, PR creation, or other account actions depending on its scopes.
Using a GitHub token is expected for this skill, but printing it with echo and reading local config files for an API key increases the chance that credentials appear in logs or are reused outside a clearly bounded credential flow.
First, ensure GH_TOKEN is available. Check environment: echo $GH_TOKEN If empty, read from config: cat ~/.openclaw/openclaw.json | jq -r '.skills.entries["gh-issues"].apiKey // empty' ... cat /data/.clawdbot/openclaw.json | jq -r '.skills.entries["gh-issues"].apiKey // empty'
Do not echo secrets. Use a secure secret lookup, declare any config files read, and use a least-privilege GitHub token limited to the intended repositories.
If invoked with broad filters, --yes, or --cron, the agent may process many issues and create code changes or PRs without per-issue approval.
The skill directs agents to perform high-impact GitHub actions and includes modes that bypass confirmation for all filtered issues.
description: "Fetch GitHub issues, spawn sub-agents to implement fixes and open PRs, then monitor and address PR review comments..." ... "--yes | false | Skip confirmation and auto-process all filtered issues" ... "--cron ... Force `--yes`"
Use --dry-run first, avoid --yes/--cron unless you fully trust the filters, and require explicit review before pushes, PR creation, or review-response changes.
Automation could continue acting on new issues or review comments after the initial command, creating changes the user may not immediately see.
The skill supports long-running polling and a cron mode that can launch sub-agents and stop waiting, but the visible artifact does not describe strong containment, cancellation, or audit controls.
"--watch | false | Keep polling for new issues and PR reviews after each batch" ... "--cron | false | Cron-safe mode: fetch issues and spawn sub-agents, exit without waiting for results."
Only use watch/cron modes with narrow filters, clear logs, a kill switch, and repository permissions that limit possible damage.
Installation may add an unnecessary tool or fail at runtime if jq is missing.
The declared dependencies do not line up with the runtime instructions: gh is installed despite being described as unused, while jq is used but not declared.
"requires": { "bins": ["curl", "git", "gh"] } ... "formula": "gh" ... "IMPORTANT — No `gh` CLI dependency. This skill uses curl + the GitHub REST API exclusively." ... "cat ~/.openclaw/openclaw.json | jq -r ..."Align the metadata with the actual commands: remove unused gh if not needed and declare jq if the skill relies on it.
If configured, PR links and repository activity summaries may be shared to the specified Telegram channel.
The skill discloses an optional external notification path to Telegram for PR summaries.
"--notify-channel | _(none)_ | Telegram channel ID to send final PR summary to ... Only the final result with PR links is sent, not status updates."
Use this option only with trusted private channels, especially for private repositories.