ForkZoo
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A broad GitHub token can affect repositories and workflows beyond the pet if it is over-scoped or mishandled.
The skill asks for broad GitHub credential authority, and the registry metadata does not declare a primary credential or required environment variable.
GitHub Token with `repo` and `workflow` scopes
Use a least-privilege or temporary GitHub token, preferably scoped only to the intended pet repository/account, and revoke it when finished.
Remote workflows can run in your GitHub account’s forked repository and may change repository contents, consume Actions minutes, or publish output.
The adoption script enables GitHub Actions with all actions allowed in the newly forked repository, which is broader than a narrowly scoped pet workflow.
"https://api.github.com/repos/$GITHUB_USER/$REPO_NAME/actions/permissions" ... -d '{"enabled": true, "allowed_actions": "all"}'Review the forked repository workflows before enabling Actions, restrict allowed actions where possible, and require explicit user confirmation before making these changes.
You would be trusting code and workflows from external repositories that were not reviewed in this skill package.
The script forks external template repositories and immediately dispatches a workflow, but the workflow contents and a pinned source revision are not included in the artifacts.
monkey) SOURCE_REPO="forkZoo/forkMonkey" ;; ... curl ... "https://api.github.com/repos/$GITHUB_USER/$REPO_NAME/actions/workflows/genesis.yml/dispatches"
Inspect the source pet repositories and their GitHub Actions workflows before adoption, and prefer pinning or documenting a specific reviewed commit.
Your pet repository may keep changing automatically unless you disable the workflows.
Persistent daily automation is disclosed and central to the pet concept, but it continues operating after setup.
Pets evolve automatically every day via GitHub Actions: - AI (GPT-4o or Claude) decides mutations
Only adopt if you want ongoing automation, and disable GitHub Actions or delete the repository when you no longer want the pet to evolve.