GitHub Digest
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This is a coherent, read-only GitHub digest skill; the main thing to notice is that it uses the locally authenticated GitHub CLI to fetch repository information.
This skill appears safe for generating GitHub activity summaries. Before using it, make sure you are comfortable with the agent using your authenticated GitHub CLI session and with the resulting digest potentially containing private repository details if you target a private repo.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may run GitHub CLI commands on your machine to collect repository activity for the digest.
The skill instructs the agent to invoke local CLI commands. The shown commands are read-only GitHub queries and fit the digest purpose, but users should expect local command execution and external GitHub API access.
Run these `gh` commands in parallel for the target repo ... gh release list ... gh pr list ... gh issue list
Use this skill for repositories you intend to summarize, and provide normal `OWNER/REPO` repository identifiers rather than arbitrary shell text.
If you use it on a private repository, the generated digest may include information visible through your GitHub account.
The skill depends on the user's authenticated GitHub CLI session. This is expected for GitHub access and no credential leakage or account mutation is shown, but it means results can reflect the permissions of the logged-in GitHub account.
- `gh` CLI authenticated (`gh auth status`)
Only request digests for repositories whose activity you are comfortable exposing in the chat output, and use a GitHub account/token with appropriate read-only scope where possible.
The skill may fail or behave differently if `gh`, authentication, or `jq` are not available, despite the metadata not declaring them.
The SKILL.md requires external tools (`gh`, and this command uses `jq`), while the supplied registry requirements declare no required binaries or credentials. This is an under-declared setup dependency rather than evidence of malicious behavior.
gh issue list --repo OWNER/REPO --state open --limit 30 ... | jq -r ...
Before installing or using, confirm that the GitHub CLI is installed and authenticated, and that `jq` is available if the issue-sorting command is needed.