gh
PassAudited by ClawScan on May 10, 2026.
Overview
This is a straightforward GitHub CLI instruction skill, but it can use your logged-in GitHub account to change repositories, issues, pull requests, and releases.
Install only if you are comfortable letting the agent run GitHub CLI commands on your behalf. Check `gh auth status`, verify the target repository and account before any create, merge, comment, or release action, and use trusted local gh installation and least-privileged credentials.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken or overly broad command could change a repository, publish a release, or merge code using the user’s GitHub permissions.
The skill documents commands that can create repositories, merge pull requests, and publish releases. These are purpose-aligned GitHub CLI operations, but they can materially change a GitHub project if run against the wrong target.
gh repo create OWNER/NAME --private --confirm ... gh pr merge <num> --merge ... gh release create vX.Y.Z
Before running mutating commands, verify the GitHub account, repository owner/name, branch or PR number, and intended operation; avoid non-interactive confirmation unless the target is clear.
Actions will be performed as whichever GitHub user is currently authenticated in gh, with that account’s repository permissions.
The skill is designed to use the authenticated GitHub CLI context. This is expected for GitHub management, but it means commands inherit the active GitHub account and token scopes.
Use `gh` for authenticated GitHub operations from the terminal.
Run `gh auth status` first, confirm the account and token scopes, and use least-privileged GitHub credentials where possible.
The safety of actual command execution depends on the locally installed GitHub CLI and the user’s environment, not on reviewed package code.
The registry metadata does not declare or install the gh binary and provides no source/homepage provenance. Because this is instruction-only and has no included executable code, this is a transparency note rather than a security concern.
Source: unknown ... Homepage: none ... Required binaries (all must exist): none ... No install spec — this is an instruction-only skill.
Install or update gh from an official trusted source and confirm its version before use.