Github App Authentication
PassAudited by ClawScan on May 1, 2026.
Overview
This skill is coherent for GitHub App authentication, but it installs an external CLI and stores GitHub App credentials/tokens that can let agents act on your repositories.
This appears purpose-aligned, but install it only if you intend to let agents use a GitHub App identity. Scope the GitHub App narrowly, protect the private key and local config, and be aware that future git or gh commands in the configured environment may authenticate as the bot.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Agents or automations using this setup can act on GitHub repositories within the permissions granted to the GitHub App.
The skill requires delegated GitHub App credentials and causes git/gh commands to operate with that app's installation token.
Use `ghapp` to authenticate as a GitHub App so `git` and `gh` commands use installation tokens. Requires a GitHub App with App ID, Installation ID, and a private key (.pem).
Use a GitHub App with the least required repository access and permissions, keep the private key secure, and confirm which repositories the installation can access.
Local users or processes with access to the config/cache may be able to misuse stored GitHub authentication material.
The skill persists authentication-related state locally, which is expected for this purpose but sensitive if the machine or config directory is shared.
Tokens are cached locally and auto-refreshed. Config stored at `~/.config/ghapp/config.yaml`.
Install only on trusted machines, protect the private key and config directory, and use `ghapp auth reset` when the app identity is no longer needed.
The installed binary controls GitHub App authentication behavior, so a compromised or unexpected package source could affect repository access.
The skill depends on an external Homebrew tap to install the executable; this is disclosed and central to the purpose, but users must trust that source.
brew | formula: operator-kit/tap/ghapp | creates binaries: ghapp
Install from the intended upstream tap, review the project source/release provenance if needed, and avoid unattended self-updates in sensitive environments.