Github
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This is a straightforward instruction-only GitHub CLI helper, but it may use your existing GitHub access, so review any raw API or write actions before allowing them.
This skill appears benign and purpose-aligned for GitHub CLI assistance. Before installing, confirm it is the intended publisher, ensure `gh` is logged into the right GitHub account, and require review for any command that writes to GitHub or uses `gh api` beyond read-only queries.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used beyond the shown examples, the agent could make broad GitHub API calls under the user's permissions.
This documents use of the broad GitHub API escape hatch rather than only narrow CLI subcommands. It is purpose-aligned and the examples are read-only, but it should be used carefully.
The `gh api` command is useful for accessing data not available through other subcommands.
Keep commands scoped to the intended repository and require explicit user confirmation before comments, edits, merges, workflow dispatches, secret changes, or other write operations.
The agent may see private GitHub data or act with the permissions of the logged-in GitHub account if asked to run mutating commands.
The GitHub CLI commonly operates using the user's existing GitHub authentication, so the skill may access repositories, PRs, issues, runs, and logs available to that account.
Use the `gh` CLI to interact with GitHub.
Use a least-privilege GitHub account or token where possible, and review any command that could change repository, issue, PR, workflow, or organization state.
The mismatch does not show malicious behavior, but it makes package identity less clear.
The local metadata identity differs from the supplied registry identity, which lists a different owner ID and slug. There is no code payload, but the provenance is not fully coherent.
"ownerId": "kn70pywhg0fyz996kpa8xj89s57yhv26", "slug": "github"
Verify the publisher and registry listing before installation, especially if relying on this skill for organization or private-repository workflows.