Github Ops

This skill mostly does what it says (create repos, push, create releases) and legitimately needs a GITHUB_TOKEN, but there are mismatches and insecure practices you should address before installing: 1) The SKILL.md expects the token at /home/node/.openclaw/secrets/github_token.txt even though the skill metadata doesn't declare that config path — confirm where your token must live and who can read it. 2) The guide embeds the token in remote URLs (git remote add origin https://${GITHUB_TOKEN}@github.com/...), which can leak tokens; prefer Git credential helpers, the gh CLI, or API calls with tokens passed in headers. 3) The SKILL.md asserts 'no user token needed' while simultaneously requiring GITHUB_TOKEN — treat that claim as wrong. 4) Because the agent can run this skill autonomously, ensure the GITHUB_TOKEN has least-privilege scopes (only repo actions needed), consider requiring interactive confirmation for repo creation/push/release, and run the skill in an isolated workspace. If you want to proceed, ask the skill author to: declare the secret/config paths in metadata, remove insecure examples of token-in-URL, document required token scopes, and add explicit prompts/confirmation steps for any potentially destructive operations. If the author cannot justify the fixed secret path or refuses to remove token-in-URL usage, do not install.