ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

GitHub Automation

v1.0.0

Automate common GitHub tasks — create issues, check PR status, list repos, manage projects. Use when the user wants to interact with GitHub programmatically...

0· 10·0 current·0 all-time
byCJ Hauser@cloudcompile
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
Name/description, SKILL.md, and the Python tool are coherent: they interact with the GitHub API to manage issues/PRs/repos and require a GitHub token. However the registry metadata declares no required environment variables / primary credential while both SKILL.md and scripts/gh_tool.py explicitly require GITHUB_TOKEN. That metadata mismatch is an incoherence that could hide credential requirements from users or automated installers.
!
Instruction Scope
SKILL.md instructs using the included script and setting GITHUB_TOKEN (appropriate). The script only accesses GitHub API endpoints and does not read other files or unrelated env vars. However the script creates an SSL context that disables hostname checking and certificate verification (ctx.check_hostname = False; ctx.verify_mode = ssl.CERT_NONE), which weakens transport security and could allow intercepted or redirected API traffic — this is an unexpected and unsafe implementation detail not mentioned in the docs.
Install Mechanism
This is instruction-only with an included Python script and no install spec, so nothing is downloaded or installed automatically. That lowers installation risk; the user runs the contained script directly.
!
Credentials
Functionality legitimately requires a GitHub token with repository/issues/notifications scopes, which the SKILL.md documents. But the registry metadata failing to declare required env vars/primary credential is an inconsistency. Also requested scopes (repo, issues, pull_requests, notifications) are powerful — users should prefer least-privilege tokens or fine-grained app tokens rather than a broad PAT.
Persistence & Privilege
The skill does not request 'always: true', does not write persistent agent-wide settings, and does not modify other skills. Agent autonomous invocation is allowed (platform default) but not an additional privilege here.
What to consider before installing
Do not install or run this skill with a high-privilege personal access token until issues are resolved. Specific recommendations: - Ask the publisher/author to update the registry metadata to declare GITHUB_TOKEN as a required credential and to state minimal needed scopes. - Request or patch the script to remove the insecure SSL override (delete ctx.check_hostname = False and ctx.verify_mode = ssl.CERT_NONE) so cert validation is enforced. - Prefer a least-privilege token (or a GitHub App / fine-grained token) scoped only to what you need (e.g., public_repo vs full repo access, issues-only if you only manage issues). - Review the script yourself or run it in an isolated environment before giving it a real token. - If you cannot get the TLS issue fixed, do not use this skill with tokens that grant access to sensitive or private repositories.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dg344cjtrarsstpcckevvkx846a3d

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

GitHub Automation

Streamline GitHub workflows from the command line. Create issues, check PRs, manage repos without switching contexts.

Usage

create issue: fix login bug
check my prs
list repos
close issue #123

Features

Issues

  • Create issues with title/body/labels
  • List open/closed issues
  • Close or comment on issues
  • Search issues

Pull Requests

  • Check PR status and reviews
  • List open PRs
  • Comment on PRs
  • Check merge status

Repositories

  • List user/org repos
  • Check repo stats
  • Get recent commits
  • Check branch status

User

  • Check notifications
  • Get user profile info
  • List starred repos

Script

# Create issue
python scripts/gh_tool.py issue create "Title" "Body" --repo owner/repo --labels bug

# List PRs
python scripts/gh_tool.py pr list --repo owner/repo

# Check notifications
python scripts/gh_tool.py notifications

Authentication

Uses GITHUB_TOKEN environment variable. Set it in your env:

export GITHUB_TOKEN=ghp_your_token_here

Token Permissions Needed

  • repo - Repository access
  • issues - Issue management
  • pull_requests - PR access
  • notifications - Read notifications

Examples

create issue in myrepo: bug - login fails with 500 error
check prs for pollinations/pollinations.ai
list my repos
close issue #42 in cloudgptapi

Output

  • Success/failure confirmation
  • Issue/PR numbers and URLs
  • Formatted lists with key info
  • Direct links to GitHub

Files

2 total
Select a file
Select a file to preview.

Comments

Loading comments…