ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Github Cli

v1.0.0

Comprehensive GitHub CLI (gh) reference. Covers repos, issues, PRs, Actions, releases, gists, search, projects v2, API, secrets/variables, labels, codespaces...

3· 7.8k·85 current·91 all-time
byTag@tag-assistant
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the content: the SKILL.md is a comprehensive gh reference and the skill correctly requires the gh binary and provides brew/apt install options for it.
Instruction Scope
The instructions are extensive but remain within the GitHub CLI domain. They include example commands that reference environment variables (GH_TOKEN, MY_TOKEN) and commands that print tokens (gh auth token / gh auth status --show-token). These are reasonable examples for a CLI reference but could expose credentials if executed uncritically.
Install Mechanism
Install spec uses standard package managers (brew and apt) and a common formula/package name 'gh'. No downloads from arbitrary URLs or extract/install of untrusted archives are present.
Credentials
The skill declares no required environment variables (appropriate for a reference), but the docs reference GH_TOKEN and example MY_TOKEN usage. This is an example-only mismatch (no env vars are required by the skill itself) — be aware that following these examples will involve your tokens.
Persistence & Privilege
always is false and the skill requests no persistent system-wide privileges or config paths. Autonomous invocation is allowed (platform default) but the skill does not ask for elevated persistence.
Assessment
This skill is a documentation/reference for the GitHub CLI and is internally consistent. Before installing or running commands from it: (1) ensure you trust any commands that print or pipe authentication tokens (examples like 'gh auth token' or 'echo "$MY_TOKEN" | gh auth login --with-token' will expose secrets to the terminal/processes); (2) install 'gh' via your distro's package manager (brew/apt) as suggested rather than running arbitrary downloads; (3) if you allow the agent to run commands autonomously, avoid giving it your PAT/GH_TOKEN or run 'gh auth token' unless you expect that output to be visible to the agent; and (4) review any commands that change repo visibility or delete resources before executing them.

Like a lobster shell, security has layers — review code before you run it.

latestvk97e94w8833g2bf40jcv5f8jbx817r7r

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🐙 Clawdis
Binsgh

Install

Install GitHub CLI (brew)
Bins: gh
brew install gh

Comments