github-mpc
PassAudited by ClawScan on May 10, 2026.
Overview
This appears to be a transparent MCP setup guide, but it asks users to connect sensitive company GitHub and Atlassian access, so least-privilege credentials matter.
Install this only if you are setting up the intended Product Guide Writer workflow for the named Trading212 resources. Prefer fine-grained/read-only tokens where possible, verify MCP package names and endpoints, and grant optional Figma or Elasticsearch access only when needed.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A GitHub token with these scopes can expose private repository and organization information if misused or installed into an untrusted MCP server.
The guide asks the user to create a GitHub token with organization and repository access. This is expected for private repository search, but these scopes are sensitive and may grant broader repository authority than read-only documentation lookup needs.
Grant `repo` and `read:org` scopes
Use a fine-grained or read-only token limited to the required organization/repositories if possible, keep it out of chat logs, and rotate it if no longer needed.
If used carelessly, the connected agent could publish or modify Confluence content in the configured space.
The Atlassian MCP capability includes creating Confluence pages. That is aligned with the Product Guide Writer workflow, but it can change shared business documentation.
user-atlassian | Confluence search/publish, Jira integration | Yes | searchConfluenceUsingCql, createConfluencePage, getConfluenceSpaces
Review page destinations and generated content before publishing, and restrict Confluence permissions to the intended space where possible.
Installing an unexpected or changed package version could alter the behavior of the GitHub MCP server.
The setup example runs an npm-hosted MCP server package without pinning a version. This is user-directed and purpose-aligned, but it depends on external package provenance.
"command": "npx", "args": ["-y", "@modelcontextprotocol/server-github"]
Install official MCP servers only, consider pinning package versions, and verify package names before adding them to Cursor configuration.
Repository, Confluence, design, or log data may be accessed through the configured MCP servers during later workflows.
The workflow depends on MCP servers that broker access to external SaaS or infrastructure services. The integrations are disclosed, but they define where queries and retrieved data may flow.
Required MCP Servers ... user-atlassian ... user-github ... user-Figma ... user-elasticsearch-mcp
Use trusted MCP servers, verify endpoints and account scopes, and avoid granting optional integrations unless they are needed.