Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
gh-issues
v1.0.0Fetch GitHub issues, spawn sub-agents to implement fixes and open PRs, then monitor and address PR review comments. Usage: /gh-issues [owner/repo] [--label b...
⭐ 0· 1.2k·70 current·71 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The declared purpose (fetch issues, spawn sub-agents, open PRs) legitimately requires curl, git, and GH_TOKEN. However the manifest also requires/installs the 'gh' CLI even though SKILL.md explicitly says 'No `gh` CLI dependency' and uses the REST API via curl. The install of gh (brew) appears unnecessary and inconsistent with the runtime instructions. The skill also mentions sending a Telegram notify-channel but does not declare any TELEGRAM_TOKEN or similar credential.
Instruction Scope
The SKILL.md instructs the agent to read sensitive local files to recover a token (~/ .openclaw/openclaw.json and /data/.clawdbot/openclaw.json) and to run commands like `cat ... | jq` — but jq is not listed as a required binary. Reading those config files is out-of-band relative to the declared config paths and is a potential data-exfiltration vector. The skill also spawns parallel sub-agents to make code changes and push PRs (powerful behavior) but does not fully describe safety controls for those actions.
Install Mechanism
The install uses a Homebrew formula for 'gh' (official package), which is not inherently risky, but it is inconsistent with the SKILL.md's explicit statement that gh is not used. There is no alternative install for non-brew environments and the install is unnecessary per the instructions.
Credentials
Requesting GH_TOKEN as the primary credential is appropriate for GitHub operations. However, the skill also instructs falling back to reading apiKey entries from local OpenClaw config files (two different paths) — this is sensitive and not declared in requires.config_paths. The skill references Telegram notifications but does not request or document any Telegram credential, creating another mismatch.
Persistence & Privilege
always:false and model invocation allowed (default) are normal. The skill will attempt actions that require repository write privileges (pushing branches, opening PRs) using GH_TOKEN; users should ensure the token's permissions are scoped appropriately. The skill does not request permanent presence or declare it will modify other skills' configs, which is good.
What to consider before installing
This skill has useful intent but shows multiple inconsistencies and some risky behaviors. Before installing, ask the publisher for clarifications and fixes: (1) Remove or justify the brew gh install or update the SKILL.md to use gh if intended; (2) Add jq to declared required binaries (or avoid using jq); (3) Stop instructing the agent to read ~/.openclaw/openclaw.json and /data/.clawdbot/openclaw.json without explicit declaration — reading those files can expose unrelated secrets; (4) Explain how Telegram notifications are sent and declare any needed TELEGRAM_TOKEN; (5) Limit GH_TOKEN scope (use a token with only the repo permissions required) and test in a sandbox or with dry-run before granting push/PR rights. If the publisher cannot justify these points, treat the skill as unsafe to install.Like a lobster shell, security has layers — review code before you run it.
latestvk9716ympkbqkr8the45b34qahs83j0tp
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
Binscurl, git, gh
Primary envGH_TOKEN
Install
Install GitHub CLI (brew)
Bins: gh
brew install gh