ClawHub

Github App Authentication

Give your AI agents and automations their own GitHub (App) identity. Authenticate using GitHub Apps so every commit, PR, and action is attributed to the bot...

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 366 · 0 current installs · 0 all-time installs
byRoss Morsali@rmorse
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The name/description match the runtime instructions: the skill is an instruction wrapper for the ghapp CLI that authenticates as a GitHub App. Requiring the ghapp binary and offering a brew install for operator-kit/tap/ghapp is consistent with the stated purpose.
Instruction Scope
SKILL.md instructs the agent to run ghapp CLI commands (setup, auth configure, token, etc.) and to read a private key (.pem) supplied by the user and to write config at ~/.config/ghapp/config.yaml. These actions are expected for this purpose and the instructions do not request unrelated files or network endpoints, but they do rely on the user providing sensitive GitHub App credentials and a private key.
Install Mechanism
Installation is via a Homebrew formula (operator-kit/tap/ghapp). A brew formula is a reasonable install method, but this is a third‑party tap rather than an official Homebrew-core package — that increases the need to verify the formula/source before trusting the installed binary.
!
Credentials
The runtime requires GitHub App credentials (App ID, Installation ID, private key) and will cache installation tokens locally, but the registry metadata lists no required env vars or config paths. The SKILL.md explicitly references ~/.config/ghapp/config.yaml and a .pem key path; the lack of declared required credentials/config in the registry is an inconsistency the user should be aware of.
Persistence & Privilege
always is false and the skill is user-invocable only; it does store tokens/config under ~/.config/ghapp (expected for its function). Note the CLI supports a self-update command, which could update the installed binary — verify update behavior and origin if you rely on this in a sensitive environment.
Assessment
This skill is essentially documentation for using the ghapp CLI; it looks coherent, but take these precautions before installing/using it: - Verify the Homebrew formula and source (operator-kit/tap/ghapp). Prefer installing from a trusted source or building from repo source if you can. Third‑party taps can install arbitrary binaries. - The tool requires a GitHub App App ID, Installation ID, and a private key (.pem). These are sensitive — keep the key file secure and give the App the minimal permissions it needs. - Expect the tool to store tokens/config at ~/.config/ghapp/config.yaml; review that file and its permissions after setup and consider using filesystem encryption or an isolated environment if needed. - Be aware of the 'ghapp update' self-update behavior; automatic or manual updates could change binary behavior — inspect update mechanisms or pin versions if necessary. - If you want stronger assurance, inspect the ghapp source code (homepage: https://github.com/operator-kit/ghapp-cli) or run the CLI in a sandbox/CI runner before giving it access to production repositories. The main incoherence is that the registry metadata does not declare the sensitive credentials/config the tool requires; that omission is explainable but worth noting. If you need higher assurance, treat this as 'requires manual review' before installing.

Like a lobster shell, security has layers — review code before you run it.

Current versionv0.1.5
Download zip
latestvk974yqv5m68xcxgytx6pzfx0ph81saay

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔑 Clawdis
Binsghapp

Install

Install ghapp (brew)
Bins: ghapp
brew install operator-kit/tap/ghapp

SKILL.md

ghapp

Use ghapp to authenticate as a GitHub App so git and gh commands use installation tokens. Requires a GitHub App with App ID, Installation ID, and a private key (.pem).

Setup

  • ghapp setup — interactive wizard: enter App ID, Installation ID, key path, then configure auth
  • ghapp auth configure — configure git + gh authentication (if skipped during setup)
  • ghapp auth status — show current auth config and diagnostics

Commands

  • ghapp --help — list all commands and flags
  • ghapp token — print an installation token (cached; --no-cache for fresh)
  • ghapp auth configure [--gh-auth shell-function|path-shim|none] — configure how git/gh authenticate
  • ghapp auth status — check auth health
  • ghapp auth reset [--remove-key] — undo all auth config
  • ghapp config set, ghapp config get [key], ghapp config path — manage config
  • ghapp update — self-update to latest release
  • ghapp version — print version

gh auth modes (passed to auth configure)

  • shell-function — auto-authenticates gh commands via shell integration (recommended)
  • path-shim — wrapper binary for CI/containers
  • none — static token in hosts.yml

Notes

  • After setup, git clone/push/pull and gh work without manual tokens.
  • Commits are attributed to the app's bot account (e.g., myapp[bot]).
  • Tokens are cached locally and auto-refreshed.
  • Config stored at ~/.config/ghapp/config.yaml.

Files

1 total
Select a file
Select a file to preview.

Comments

Loading comments…