Github App Authentication
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: ghapp Version: 0.1.5 The skill bundle provides instructions for installing and using the `ghapp` CLI tool, which facilitates GitHub App authentication. The `SKILL.md` file includes a standard `brew` installation command for the `ghapp` binary and describes its various commands, including `ghapp update`. There is no evidence of prompt injection, data exfiltration, malicious execution, or other harmful intent within the provided files. The handling of sensitive credentials (GitHub App private keys) is inherent to the tool's stated purpose, and the skill bundle itself does not expose vulnerabilities in how the `ghapp` binary handles them.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Agents or automations using this setup can act on GitHub repositories within the permissions granted to the GitHub App.
The skill requires delegated GitHub App credentials and causes git/gh commands to operate with that app's installation token.
Use `ghapp` to authenticate as a GitHub App so `git` and `gh` commands use installation tokens. Requires a GitHub App with App ID, Installation ID, and a private key (.pem).
Use a GitHub App with the least required repository access and permissions, keep the private key secure, and confirm which repositories the installation can access.
Local users or processes with access to the config/cache may be able to misuse stored GitHub authentication material.
The skill persists authentication-related state locally, which is expected for this purpose but sensitive if the machine or config directory is shared.
Tokens are cached locally and auto-refreshed. Config stored at `~/.config/ghapp/config.yaml`.
Install only on trusted machines, protect the private key and config directory, and use `ghapp auth reset` when the app identity is no longer needed.
The installed binary controls GitHub App authentication behavior, so a compromised or unexpected package source could affect repository access.
The skill depends on an external Homebrew tap to install the executable; this is disclosed and central to the purpose, but users must trust that source.
brew | formula: operator-kit/tap/ghapp | creates binaries: ghapp
Install from the intended upstream tap, review the project source/release provenance if needed, and avoid unattended self-updates in sensitive environments.