ClawHub

GitHub AI Trends

AdvisoryAudited by Static analysis on Apr 30, 2026.

Overview

No suspicious patterns detected.

Findings (0)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

NoteHigh Confidence
ASI03: Identity and Privilege Abuse
What this means

If you provide a GitHub token, the skill can make GitHub API requests using that token's permissions.

Why it was flagged

The script can read a GitHub token from an argument or environment variable and send it as an Authorization header to the GitHub API. This is purpose-aligned for rate limits, but users should notice that a credential may be used.

Skill content
parser.add_argument("--token", default=os.environ.get("GITHUB_TOKEN")) ... headers["Authorization"] = f"Bearer {token}"
Recommendation

Use a low-scope GitHub token if needed, avoid broad or personal tokens when possible, and prefer an environment variable over pasting tokens into chat.