Skillv1.0.0

ClawScan security

GitHub-Assistant-Skill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 6, 2026, 8:40 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill is broadly consistent with a GitHub assistant (it uses the API + Playwright browser scraping) but it asks users to create and store wide-scoped tokens, writes persistent session/token files under ~/.github-assistant, and recommends DNS/hosts/mirror workarounds and third‑party mirrors — these choices are coherent with the described features but are security-sensitive and not fully disclosed in the registry metadata.
Guidance: This skill appears to implement what it claims, but it asks you to provide and store powerful credentials and to install and run browser binaries (possibly from mirrors). Before installing or using it: - Prefer a fine‑grained PAT with the minimal repository access necessary (avoid All repositories / full repo write if you don't need it). - Review the code (github_login.py, config.py, install_browser.py) yourself — note the skill stores tokens as plaintext in ~/.github-assistant/github_token.txt and saves browser session data there. - If running on a server or agent, prefer the Docker workflow (prebuilt Playwright image) instead of running the installer or editing hosts on the host system. - Be cautious about following hosts-file or DNS workarounds; they can redirect traffic and should only be used if you understand the impact. - If you must use this skill, run it in an isolated environment (container or throwaway VM) and consider encrypting stored tokens or using short-lived tokens. Confidence is medium because the code and instructions are coherent but include several security‑sensitive choices (wide token scopes, plaintext storage, mirror/hosts guidance) that raise practical concerns rather than proving malicious intent.

Review Dimensions

Purpose & Capability: noteThe name/description match the code: the skill implements Trending scraping (via Playwright) and full GitHub API operations (search, star/fork/watch, issues/PRs, contents, actions, etc.). However the registry metadata declares no required credentials/env vars while the code and SKILL.md clearly expect either a stored Personal Access Token (or GITHUB_TOKEN env var) or a browser session. The need for a broad PAT is consistent with the capabilities but the metadata omission is an inconsistency that could confuse users.
Instruction Scope: concernRuntime instructions ask the agent/user to run scripts that: open real browsers (interactive login), save browser storage state and persistent browser profiles under the user's home directory, and store tokens locally. The docs and scripts also suggest modifying /etc/hosts as a DNS workaround and recommend mirror endpoints for downloads. The skill reads/writes files in ~/.github-assistant and checks GITHUB_TOKEN environment variables even though the skill declared no required env vars. These actions go beyond simple API calls and have privacy/operational implications (saved tokens, persistent browser profiles, possible hosts modifications).
Install Mechanism: noteThere is no platform install spec; installation is user-driven via pip and an included install_browser.py. The installer runs pip commands, queries mirrors and CDN endpoints, and guides the user to run playwright install (which downloads browser binaries). The script provides mirror URLs (npmmirror/registry.npmmirror, mirrors.tuna, etc.) and host/DNS workarounds. Using third‑party mirrors is understandable for connectivity, but downloading browser binaries from non-official endpoints and suggesting hosts-file edits increases risk if users blindly follow instructions.
Credentials: concernTo perform full repository operations the skill properly requires a PAT. However SKILL.md encourages creating tokens with broad 'read & write' repo permissions and recommends 'All repositories' access — a large blast radius. The code stores the token as plaintext in ~/.github-assistant/github_token.txt and keeps persistent browser session data in the same directory. The skill also checks GITHUB_TOKEN env var (not declared), and offers browser login where users may input credentials in the opened browser. Storing unencrypted tokens and recommending wide scopes are security-sensitive and not proportionately restricted by default.
Persistence & Privilege: notealways:false (not force-included). The skill persists credentials and browser session state under ~/.github-assistant and creates a browser profile directory for persistent contexts. Persisting this data is functional for convenience but means long-lived secrets and browser state are stored on disk in the user's home directory (plaintext token, cookies/localStorage). The skill does not declare modifications to other skills or system-wide configs, but the persistent files and suggestions to change hosts/DNS increase long-term impact if compromised.