Back to skill

Security audit

gh-issues

Security checks across malware telemetry and agentic risk

Overview

This GitHub automation skill has a coherent purpose, but it handles GitHub tokens unsafely and can keep acting on repositories through sub-agents and background modes.

Review before installing. Use only a least-privilege GitHub token, avoid private repositories unless you accept the exposure risk, start with --dry-run, and avoid --yes, --watch, --cron, and --notify-channel unless the scope and destination are tightly controlled. Treat logs and kept transcripts from this skill as potentially containing GitHub token material.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The skill is documented as receiving GH_TOKEN via environment injection, yet it also instructs itself and sub-agents to read tokens from local config files. That expands credential access beyond the minimum necessary scope and causes the skill to actively seek secrets from disk, including from shared bot locations like /data/.clawdbot/openclaw.json.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The skill explicitly reads and exports GH_TOKEN from local configuration files without any clear user-facing disclosure that it will access stored credentials. Secret access from disk is sensitive behavior, and doing it silently increases the chance of unexpected credential use or cross-context secret exposure.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill supports sending summaries and PR links to a Telegram channel, but this external notification behavior is not prominently disclosed as data exfiltration to a third-party service. Repository identifiers, issue titles, PR URLs, and workflow outcomes may be sensitive in private or internal repositories.

Ssd 3

High
Confidence
99% confidence
Finding
The sub-agent prompt instructs loading a GitHub token from local config and then printing a token prefix with `echo "Token: ${GH_TOKEN:0:10}..."`. Even partial token disclosure is credential leakage, and preserving transcripts with `cleanup: "keep"` increases the risk that exposed secrets remain stored and reviewable.

Ssd 3

High
Confidence
99% confidence
Finding
The review-handler prompt repeats the same dangerous pattern: reading stored GH_TOKEN values and echoing part of the token. This duplicates the credential exposure path in another agent flow and broadens the chance of leaking secrets into logs or persistent session artifacts.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.