GitHub Workflow
ReviewAudited by ClawScan on May 14, 2026.
Overview
This appears to be a coherent read-only GitHub workflow plugin, but users should know it needs a GitHub token and may read PR, issue, commit, and diff data from repositories the token can access.
This plugin looks safe for its stated read-only GitHub workflow purpose. Before installing, create the narrowest GitHub token you can, avoid broad private-repo access unless needed, configure defaultRepos to limit what the agent searches, and be cautious about enabling any scheduled digest feature.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent can read GitHub data that the configured token can access, including private PR titles, issue information, commit data, and PR file changes.
The plugin requires a GitHub token that can identify the user and access repository data, including private repositories when the broader repo scope is used.
Create a GitHub Personal Access Token ... scopes: `repo` (for private repos) or `public_repo` ... `read:user`
Use the least-privileged token available, prefer public_repo or a fine-grained read-only token where possible, and configure only the repositories you want the plugin to inspect.
If defaultRepos is empty, a simple request like “what PRs need my review?” may return information from more repositories than the user expected.
When no repository list is configured or supplied, the review-PR search is intentionally broadened to all repositories visible to the token.
If none specified, search globally // (across all repos the user has access to).
Set defaultRepos in the OpenClaw config or pass explicit repos in requests when you want the agent to stay within a specific repository set.
If the scheduled digest feature is enabled, the plugin may continue producing GitHub summaries on a schedule rather than only during direct conversations.
The manifest includes configuration for a recurring weekly digest, but it is disabled by default and no hidden background behavior is shown in the provided artifacts.
"weeklyDigest": { "enabled": { "type": "boolean", "default": false }, "scheduleCron": { "default": "0 9 * * 1" }, "channel": { "description": "Optional channel ID to post the digest to." } }Only enable scheduled digests if you want recurring GitHub summaries, and verify the destination channel before turning it on.