ClawHub

GitHub-Assistant-Skill

Security checks across malware telemetry and agentic risk

Overview

This is a real GitHub assistant, but it asks for very broad GitHub authority and can perform high-impact actions without strong confirmation or scoping controls.

Install only if you intend to let this skill act on your GitHub account. Prefer a fine-grained, short-lived token limited to selected repositories and only the permissions you actually need; avoid passing tokens on the command line when possible. Treat the saved ~/.github-assistant token and browser session as sensitive, and manually confirm any merge, workflow run, file write, repository creation, settings access, or other account-changing action before allowing the agent to execute it. Static scan was clean and VirusTotal was pending, but the Review verdict is based on the artifact's broad authority and weak safety gates.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (31)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill exposes powerful capabilities including shell execution, filesystem access, network access, environment access, and file writes, yet does not declare permissions or clearly constrain their use. This undermines least-privilege controls and makes it harder for a host system or reviewer to understand that the skill can install software, persist credentials, and perform state-changing GitHub operations.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The documented behavior substantially exceeds the declared purpose: beyond trending/search and repo assistance, it supports credential onboarding, session persistence, arbitrary browser navigation, workflow triggering, repo creation, notifications, org/member access, and other administrative actions. This mismatch can mislead users and reviewers about the real attack surface, increasing the chance that high-risk capabilities are granted without informed consent.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The documented capabilities substantially exceed the stated GitHub-assistant scope and include browser automation, account/session handling, settings access, organization data, and other privileged operations. Scope expansion like this increases attack surface, can mislead users about what the skill may do, and weakens informed consent for sensitive actions performed under the user's GitHub identity.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
An arbitrary browser navigation command like `goto "https://..."` is far broader than GitHub assistance and can be used to drive an authenticated browser session to attacker-controlled pages. In a skill that also stores browser auth and supports login, this enables phishing, session abuse, exfiltration via web flows, or unintended actions outside GitHub.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The documented `goto "https://..."` browser automation permits navigation to arbitrary URLs, which exceeds a GitHub-focused assistant and can be abused for phishing, credential capture, or driving the browser to attacker-controlled content. In the presence of persisted GitHub sessions and a live browser context, this becomes more dangerous because it may expose authenticated state to unintended destinations or facilitate social engineering.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The reference expands into repository mutation and administrative capabilities such as file creation/deletion, branch deletion, releases, Actions dispatch, and repository creation that go beyond the skill’s stated purpose. In an agent setting, undocumented extra capabilities increase the chance that the model will infer or attempt higher-risk actions without explicit user awareness or appropriate safety gating.

Description-Behavior Mismatch

Low
Confidence
84% confidence
Finding
The file documents user profile changes, follow/unfollow actions, notifications, and organization endpoints that are not justified by the described skill scope. Extra account-level endpoints broaden the attack surface and may lead the assistant to perform unrelated account actions if prompted or socially engineered.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The `goto` action passes a user-supplied URL directly into `page.goto(...)` with no allowlist or origin validation, so this GitHub-focused skill can be used to browse arbitrary sites in a logged-in browser context. Because the browser may carry persisted session state and the code disables HTTPS error enforcement, this broadens the attack surface to phishing pages, malicious content, and unintended cross-site navigation outside the declared scope.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The skill provides direct helpers to open sensitive account and repository settings pages, including security, billing, keys, and tokens-related areas, using an existing authenticated session. Even though these functions only navigate, exposing such privileged surfaces in an automation helper increases the chance of unsafe prompting, user confusion, or accidental access to highly sensitive configuration pages beyond routine repository assistance.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The declared skill scope emphasizes trending/search/repo operations/issues/PR/code retrieval/comments, but the module also exposes broader account- and repository-affecting capabilities such as org access, notifications, gists, releases, branches, and workflow control. This scope expansion increases the authority available to the skill beyond what a user would reasonably infer from the metadata, creating a permission and trust mismatch.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The workflow functions can trigger, cancel, and rerun GitHub Actions, which may execute arbitrary CI/CD automation using repository secrets, deployment credentials, or production-integrated pipelines. In the context of a general GitHub assistant, this is unusually powerful and can lead to unauthorized builds, deployments, or secret-bearing job execution if invoked unexpectedly.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
Gist creation, modification, and deletion are outside the stated assistant purpose and allow publishing or altering content under the user's identity, including potentially sensitive snippets. Because gists can be public and are separate from normal repo workflows, they materially expand exfiltration and impersonation risk beyond expected functionality.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
Repository creation, settings changes, and deletion are destructive or high-impact administrative actions that exceed the described assistant scope. If misused, they can alter visibility, disable safeguards, change defaults, or permanently remove repositories, causing loss of code, access, or integrity.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
Follow/unfollow operations are social-account actions unrelated to the stated repo/issue/PR assistant purpose. While lower impact than admin actions, they still let the skill modify the user's account state and public activity in ways the user may not expect.

Description-Behavior Mismatch

Medium
Confidence
80% confidence
Finding
The file adds browser bootstrap and system-configuration guidance that exceeds the GitHub assistant's declared scope, increasing the attack surface far beyond repository and issue management. In an agent skill context, extra installer logic is risky because it performs network downloads, package installation, and environment-dependent operations unrelated to the core GitHub functions.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The skill reads proxy-related environment variables and prints them, even though this capability is not necessary for normal GitHub assistant behavior. In an agent environment, proxy variables often contain internal infrastructure details or embedded credentials, so collecting and exposing them materially increases leakage risk.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The documentation enumerates destructive and account-affecting operations such as create, update, close, merge, trigger, follow, and lock actions without warning, confirmation, or safety guidance. In a delegated agent context, normalizing these operations without caution increases the risk of accidental repository changes, workflow execution, social/account actions, and irreversible administrative effects.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The token login instructions tell users to supply a GitHub token but provide no warning about credential sensitivity, scope minimization, shell history exposure, or secure handling. This can lead to over-privileged token use and accidental leakage through terminals, logs, transcripts, screenshots, or process inspection.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The documentation explicitly identifies local paths where authentication artifacts and browser session data are stored, but gives no security or privacy guidance. Storing tokens and session state on disk without warning or documented protections increases the chance of credential theft from local compromise, backups, shared machines, or weak file permissions.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README prominently advertises account-affecting operations such as create repo, close/reopen issues, merge PRs, create/update files, and trigger workflows, but it does not pair them with explicit confirmation or safety guidance for agent-mediated use. In an AI-agent context, this increases the risk of unintended destructive or unauthorized actions from ambiguous prompts or prompt injection, especially because the skill is designed to execute real GitHub mutations.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The token-login section encourages broad token use and local storage but does not provide a clear upfront privacy warning about credential sensitivity, storage location, or the consequences of granting access to all repositories. In an agent setting, this can lead users to overprivilege the tool and expose credentials or repository access beyond what is necessary.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The reference lists many authenticated and destructive operations—such as deleting files, deleting branches, closing issues, merging PRs, and rerunning workflows—without any warning about irreversible effects, approval requirements, or repository impact. In an autonomous or semi-autonomous assistant, this omission materially increases the likelihood of unsafe execution from ambiguous or malicious prompts.

Missing User Warnings

Low
Confidence
86% confidence
Finding
The authentication section mentions personal access tokens and broad scopes but gives no warning about secure credential storage, non-disclosure, scope minimization, or avoiding logging secrets. This can normalize unsafe token handling and increase the risk of credential leakage or overprivileged access.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The browser is launched with persisted authentication state or a persistent profile directory, so automated navigation occurs inside an already logged-in GitHub session. Combined with access to sensitive pages and lack of an upfront warning about credential/privacy exposure, this creates a meaningful risk of account-impacting interactions, especially if the skill is induced to visit malicious or unexpected pages.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The function transmits the supplied GitHub PAT to GitHub for verification and then persists it locally via save_token(token), but the user-facing flow shown here provides no warning about network transmission, local storage, or the sensitivity of the secret. In a login helper skill, this is a real security weakness because users may disclose high-privilege tokens without informed consent, increasing the chance of credential misuse if the host is shared or compromised.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal