ForkZoo
ReviewAudited by ClawScan on May 10, 2026.
Overview
ForkZoo is coherent with its pet-adoption purpose, but it asks for broad GitHub powers and enables/runs persistent GitHub Actions from external repositories, so it should be reviewed before use.
Only use this skill if you are comfortable letting it create and configure GitHub repositories, enable GitHub Actions, and publish GitHub Pages. Review the upstream ForkZoo repositories and workflows first, and use the narrowest GitHub token you can.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent has this token, it can make GitHub repository and workflow changes under the user’s account; a broad token could also expose private-repo authority if mishandled.
A GitHub token with repo and workflow scopes can modify repositories and workflows across the account; this is powerful for a digital pet skill and is not reflected in the registry credential declarations.
GitHub Token with `repo` and `workflow` scopes ... Store as environment variable `GITHUB_TOKEN`
Use a fine-grained or least-privilege GitHub token limited to the intended pet repository where possible, and do not provide a broad classic PAT unless you understand the account-wide impact.
Running adoption can enable workflow code to execute in a repository under the user’s GitHub account and may publish or change repository content.
The adoption script enables GitHub Actions and allows all actions for the forked repository, which is a broad mutation of workflow execution policy.
"https://api.github.com/repos/$GITHUB_USER/$REPO_NAME/actions/permissions" \
-d '{"enabled": true, "allowed_actions": "all"}'Review the workflows before enabling them, require explicit user approval before adoption, and consider restricting allowed actions instead of setting `allowed_actions` to `all`.
If the upstream pet repository or its workflows change, the user could run unreviewed workflow code under their GitHub account during adoption or later evolution.
The script forks external GitHub repositories and dispatches their workflows, but those upstream repository contents and workflow definitions are not included or pinned in the reviewed artifact set.
monkey) SOURCE_REPO="forkZoo/forkMonkey" ;; ... "https://api.github.com/repos/$SOURCE_REPO/forks" ... "actions/workflows/genesis.yml/dispatches"
Inspect the upstream repository and workflows at the exact commit before forking, and prefer pinned, reviewed sources for any workflow code that will run automatically.
The pet repository may keep running scheduled GitHub Actions and updating public pages until the user disables those workflows or removes the repository.
The skill intentionally creates persistent automation that continues after the initial adoption task, which is disclosed and aligned with the pet concept but still important for users to notice.
Pets evolve automatically every day via GitHub Actions
After adoption, monitor the repository’s Actions settings and disable scheduled workflows if you no longer want the pet to evolve.