Wip Repo Permissions Hook
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This looks like a legitimate GitHub repo-visibility guard, but it persists as a hook and uses your GitHub CLI login to query repository information.
Before installing, make sure you want an always-available hook that can inspect Bash GitHub visibility commands and query GitHub through your `gh` login. Treat it as a helpful agent-side guard, not a complete GitHub policy enforcement system.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent or hook may learn whether expected private counterpart repos exist and may audit public repo names using your GitHub CLI access.
The tool queries GitHub through the local `gh` CLI, which commonly uses the user's configured GitHub authentication. This is expected for a GitHub guard, but users should recognize it can use their account access to check repo existence.
execFileSync('gh', ['api', `repos/${org}/${privateName}`, '--jq', '.name']Install only if you trust this skill with GitHub repo metadata, and prefer a least-privilege GitHub CLI login or organization-scoped account.
The hook can continue intercepting future tool-use events and deny matching public-visibility GitHub commands until you disable or remove it.
The plugin is designed to run automatically before future tool-use events once installed. This persistence is disclosed and aligned with the guard purpose.
"lifecycle": { "before_tool_use": "./guard.mjs" }Keep track of where the hook/plugin is installed and remove or disable it when you no longer want this behavior.
Users could overestimate the protection if they expect it to block all GitHub UI, API, or non-Bash visibility changes.
The implementation only checks Bash tool inputs that parse as a specific GitHub CLI visibility change. Broader wording such as 'blocks repos from going public' should be understood within this narrower enforcement scope.
if (toolName !== 'Bash') { process.exit(0); } ... const parsed = parseVisibilityCommand(command);Use this as an agent/CLI guard, not as a replacement for GitHub organization policies or administrative controls.
Future installs may include a newer MCP SDK version than the one originally reviewed.
The npm dependency uses a semver range, so installations can resolve to newer compatible versions. This is common, but it is still a supply-chain detail users may want to review.
"dependencies": { "@modelcontextprotocol/sdk": "^1.0.0" }For stricter reproducibility, install from a trusted package source and consider pinning dependencies or using a lockfile.
A connected agent can request and see GitHub repository metadata available through the local `gh` setup.
The MCP server exposes repo check/audit tools to any configured MCP client, returning repo names and counterpart status into the agent context.
name: 'repo_permissions_audit', description: 'Audit all public repos in a GitHub org for missing -private counterparts. Returns violations and passing repos.'
Configure this MCP server only for trusted agents and clients, and avoid using it with GitHub accounts that have broader access than needed.