ClawHub

Github App Authentication

v0.1.5

Give your AI agents and automations their own GitHub (App) identity. Authenticate using GitHub Apps so every commit, PR, and action is attributed to the bot...

0· 579·1 current·1 all-time
byRoss Morsali@rmorse

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for rmorse/ghapp.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Github App Authentication" (rmorse/ghapp) from ClawHub.
Skill page: https://clawhub.ai/rmorse/ghapp
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Required binaries: ghapp
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install ghapp

ClawHub CLI

Package manager switcher

npx clawhub@latest install ghapp
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The name/description match the runtime instructions: the skill is an instruction wrapper for the ghapp CLI that authenticates as a GitHub App. Requiring the ghapp binary and offering a brew install for operator-kit/tap/ghapp is consistent with the stated purpose.
Instruction Scope
SKILL.md instructs the agent to run ghapp CLI commands (setup, auth configure, token, etc.) and to read a private key (.pem) supplied by the user and to write config at ~/.config/ghapp/config.yaml. These actions are expected for this purpose and the instructions do not request unrelated files or network endpoints, but they do rely on the user providing sensitive GitHub App credentials and a private key.
Install Mechanism
Installation is via a Homebrew formula (operator-kit/tap/ghapp). A brew formula is a reasonable install method, but this is a third‑party tap rather than an official Homebrew-core package — that increases the need to verify the formula/source before trusting the installed binary.
!
Credentials
The runtime requires GitHub App credentials (App ID, Installation ID, private key) and will cache installation tokens locally, but the registry metadata lists no required env vars or config paths. The SKILL.md explicitly references ~/.config/ghapp/config.yaml and a .pem key path; the lack of declared required credentials/config in the registry is an inconsistency the user should be aware of.
Persistence & Privilege
always is false and the skill is user-invocable only; it does store tokens/config under ~/.config/ghapp (expected for its function). Note the CLI supports a self-update command, which could update the installed binary — verify update behavior and origin if you rely on this in a sensitive environment.
Assessment
This skill is essentially documentation for using the ghapp CLI; it looks coherent, but take these precautions before installing/using it: - Verify the Homebrew formula and source (operator-kit/tap/ghapp). Prefer installing from a trusted source or building from repo source if you can. Third‑party taps can install arbitrary binaries. - The tool requires a GitHub App App ID, Installation ID, and a private key (.pem). These are sensitive — keep the key file secure and give the App the minimal permissions it needs. - Expect the tool to store tokens/config at ~/.config/ghapp/config.yaml; review that file and its permissions after setup and consider using filesystem encryption or an isolated environment if needed. - Be aware of the 'ghapp update' self-update behavior; automatic or manual updates could change binary behavior — inspect update mechanisms or pin versions if necessary. - If you want stronger assurance, inspect the ghapp source code (homepage: https://github.com/operator-kit/ghapp-cli) or run the CLI in a sandbox/CI runner before giving it access to production repositories. The main incoherence is that the registry metadata does not declare the sensitive credentials/config the tool requires; that omission is explainable but worth noting. If you need higher assurance, treat this as 'requires manual review' before installing.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

🔑 Clawdis
Binsghapp

Install

Install ghapp (brew)
Bins: ghapp
brew install operator-kit/tap/ghapp
latestvk974yqv5m68xcxgytx6pzfx0ph81saay
579downloads
0stars
4versions
Updated 2mo ago
v0.1.5
MIT-0
Ross Morsali@rmorse
latest
Download

ghapp

Use ghapp to authenticate as a GitHub App so git and gh commands use installation tokens. Requires a GitHub App with App ID, Installation ID, and a private key (.pem).

Setup

  • ghapp setup — interactive wizard: enter App ID, Installation ID, key path, then configure auth
  • ghapp auth configure — configure git + gh authentication (if skipped during setup)
  • ghapp auth status — show current auth config and diagnostics

Commands

  • ghapp --help — list all commands and flags
  • ghapp token — print an installation token (cached; --no-cache for fresh)
  • ghapp auth configure [--gh-auth shell-function|path-shim|none] — configure how git/gh authenticate
  • ghapp auth status — check auth health
  • ghapp auth reset [--remove-key] — undo all auth config
  • ghapp config set, ghapp config get [key], ghapp config path — manage config
  • ghapp update — self-update to latest release
  • ghapp version — print version

gh auth modes (passed to auth configure)

  • shell-function — auto-authenticates gh commands via shell integration (recommended)
  • path-shim — wrapper binary for CI/containers
  • none — static token in hosts.yml

Notes

  • After setup, git clone/push/pull and gh work without manual tokens.
  • Commits are attributed to the app's bot account (e.g., myapp[bot]).
  • Tokens are cached locally and auto-refreshed.
  • Config stored at ~/.config/ghapp/config.yaml.

Comments

Loading comments...