GitHub Knowledge Base
PassAudited by ClawScan on May 1, 2026.
Overview
This is a coherent GitHub search and local knowledge-base helper, but users should notice it can use GitHub credentials and store cloned repository information locally.
This skill appears safe for its stated purpose if you are comfortable with it using gh and maintaining a local repository catalog. Use a limited GitHub token or account, confirm the KB directory, and avoid cloning or cataloging private repositories unless you want that information stored locally.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If you provide a token or authenticated gh account, the skill may search, view, or clone private GitHub resources that account can access.
The skill may use a GitHub PAT or authenticated gh session to access private repositories. This is purpose-aligned, but it gives the agent access according to the token/account permissions.
`GITHUB_TOKEN` - GitHub Personal Access Token (optional, for private repos) ... `gh auth login --with-token <(echo "$GITHUB_TOKEN")`
Use the least-privileged GitHub account or token needed, avoid broad PAT scopes, and revoke or rotate the token when no longer needed.
A wrong repository or path could add unwanted code or entries to the local knowledge base and consume local disk space.
The documented workflow downloads repositories and modifies a local catalog. This is central to the skill's purpose and is scoped to the KB path, but it is still local file mutation and network-backed repository retrieval.
`git clone https://github.com/<owner>/<name>.git ${GITHUB_KB_PATH:-/home/node/clawd/github-kb}/<name>` ... `Update GITHUB_KB.md: Add entry for the new repo`Confirm the repository identity and KB directory before cloning, especially for private repositories or large codebases.
The local catalog may retain names, descriptions, and context about private or sensitive repositories.
The skill persists summaries/catalog entries derived from repository content. This is the intended KB behavior, but private or untrusted repository information may remain available for later tasks.
Key file: GITHUB_KB.md at the root of the KB directory catalogs all projects with brief descriptions ... Generate project description: Read README or key files
Store the KB in a location appropriate for the sensitivity of the repositories and review GITHUB_KB.md before sharing or reusing it.
Install-time metadata may not show all prerequisites; users need to read the skill instructions to understand setup and authentication.
The registry metadata does not advertise the gh CLI/authentication or optional environment variables that SKILL.md documents. The SKILL text itself discloses them, so this is a setup transparency note rather than hidden code behavior.
Required binaries (all must exist): none ... Env var declarations: none ... Primary credential: none
Before use, verify gh is installed from a trusted source and decide whether you want to provide GITHUB_TOKEN or a custom GITHUB_KB_PATH.