ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

OpenClaw GitHub Assistant

Query and manage GitHub repositories - list repos, check CI status, create issues, search repos, and view recent activity.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
4 · 9.1k · 98 current installs · 103 all-time installs
by@conorkenn
duplicate of @conorkenn/gh-query
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name, description, SKILL.md, and code (api.js / index.js) all implement GitHub operations (list repos, CI, issues, PRs, create repo, search, commits). Required env vars and config keys (GITHUB_TOKEN, GITHUB_USERNAME, github.token, github.username) are directly used by the code to authenticate to api.github.com. There are no unrelated credentials, binaries, or config paths requested.
Instruction Scope
SKILL.md limits runtime actions to setting credentials, restarting the gateway, and using the skill to call GitHub APIs. The instructions do not direct the agent to read unrelated files, exfiltrate data to third-party endpoints, or perform system-wide discovery. The README and SKILL.md warn about protecting the PAT.
Install Mechanism
No install spec downloads arbitrary code from external URLs; the package is instruction/code-only and contains standard JS files. No brew/npm/go installs are requested. The included code will run within the OpenClaw environment without additional installers.
Credentials
The skill requests only GITHUB_TOKEN and GITHUB_USERNAME (and matching config keys), which is proportionate to GitHub operations. Note: the recommended 'repo' scope gives wide access (create/delete repos, modify code/PRs/issues). This scope is consistent with capabilities (create_repo, create_issue, create_pull_request) but users should prefer least-privilege scopes (e.g., public_repo for public-only usage) or a token limited to required actions.
Persistence & Privilege
always is false and the skill is user-invocable; it does not request permanent platform-wide privileges or modify other skills. Autonomous invocation is the platform default and not combined with other red flags here.
Assessment
This skill appears to do exactly what it says: interact with GitHub using your Personal Access Token and username. Before installing: 1) Review and run the included code locally if possible to confirm behavior. 2) Create a token with the minimal scopes you need (avoid full 'repo' if you only need read access). 3) Prefer storing secrets in your platform's secret manager rather than long-lived shell variables on shared machines. 4) Rotate the token if you ever suspect compromise. 5) Note that a token with 'repo' scope enables destructive actions (create/delete/modify repos and issues), so only install this skill if you trust the code and the environment.

Like a lobster shell, security has layers — review code before you run it.

Current versionv2.0.1
Download zip
latestvk97eyjrdzrqngg1jwfxrxesfy5811kb0

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🐙 Clawdis
EnvGITHUB_TOKEN, GITHUB_USERNAME
Configgithub.token, github.username

SKILL.md

GitHub Integration Skill

Query and manage GitHub repositories directly from your AI assistant.

Capabilities

CapabilityDescription
list_reposList your repositories with filters
get_repoGet detailed info about a specific repo
check_ci_statusCheck CI/CD pipeline status
create_issueCreate a new issue in a repo
create_repoCreate a new repository
search_reposSearch your repositories
get_recent_activityGet recent commits

Usage

You: List my Python repos
Bot: [lists your Python repositories]

You: Check CI status on my main project
Bot: [shows CI/CD status]

You: Create an issue about the bug
Bot: [creates the issue]

Setup

1. Generate GitHub Personal Access Token

  1. Go to https://github.com/settings/tokens
  2. Click "Generate new token (classic)"
  3. Name: openclaw-github-skill
  4. Scopes: repo (required), read:user (optional)
  5. Copy the token

2. Configure Credentials

Option A: Environment Variables (Recommended)

Set environment variables before starting OpenClaw:

export GITHUB_TOKEN="ghp_your_token_here"
export GITHUB_USERNAME="your_github_username"

Option B: OpenClaw Config

Add to ~/.openclaw/openclaw.json:

{
  "github": {
    "token": "ghp_your_token_here",
    "username": "your_username"
  }
}

3. Restart OpenClaw

openclaw gateway restart

Security Notes

⚠️ Protect Your Token:

  • Never commit your token to git or share it publicly
  • Use the minimal required scopes (repo for private repos, public_repo for public-only)
  • Rotate your token if you suspect it was compromised
  • Consider using a secrets manager for production use

⚠️ Best Practices:

  • Don't store tokens in shell profiles (~/.zshrc) on shared machines
  • For local development, environment variables are acceptable
  • For production, use your platform's secret/credential store

Rate Limits

  • Unauthenticated requests: 60/hour
  • Authenticated requests: 5,000/hour

Requirements

  • OpenClaw gateway running
  • GitHub Personal Access Token with appropriate scopes

Files

10 total
Select a file
Select a file to preview.

Comments

Loading comments…