Github
PassAudited by ClawScan on May 1, 2026.
Overview
This is a coherent instruction-only GitHub CLI skill, but it will use your local GitHub CLI setup and includes broad `gh api` capability.
This skill appears safe for normal GitHub CLI use. Before installing or using it, make sure your local `gh` CLI is trusted, confirm which GitHub account is authenticated, and review any command that writes, deletes, merges, posts, or uses `gh api` beyond read-only queries.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used beyond the examples, the agent could ask the GitHub CLI to perform broader account or repository actions through the API.
`gh api` is a broad GitHub API interface. The shown example is read-only, and this is purpose-aligned, but users should review any generated API endpoint, method, or payload before allowing actions beyond queries.
The `gh api` command is useful for accessing data not available through other subcommands.
Review `gh api` commands carefully, especially any that use POST, PATCH, PUT, or DELETE methods, and confirm the target repository and endpoint.
Commands may run with the permissions of whichever GitHub account or token is currently configured in the local `gh` CLI.
The skill is expected to use GitHub access, and `gh` commonly uses the user's existing local GitHub authentication. The metadata does not declare a credential, but the artifacts do not show credential capture, logging, or unrelated account use.
Description: Interact with GitHub using the `gh` CLI... Primary credential: none
Check `gh auth status` and use a least-privileged GitHub account or token for the repositories you intend the agent to access.
The skill will only work safely if the user already has a trusted GitHub CLI installed and configured.
The skill depends on the external `gh` CLI according to its instructions, but the metadata does not declare that dependency. This is a metadata completeness issue rather than evidence of hidden code.
Required binaries (all must exist): none ... No install spec — this is an instruction-only skill.
Install GitHub CLI from an official source if needed, keep it updated, and verify the binary being used is the expected `gh` executable.