Github Collab
WarnAudited by ClawScan on May 10, 2026.
Overview
This GitHub collaboration skill is mostly purpose-aligned, but it needs review because it can use GitHub credentials, spawn long-running subagents, and contains an unsafe dynamic shell command.
Install only if you are comfortable granting it access to your GitHub context and running multi-agent automation. Use a least-privilege GitHub token, run it in an isolated workspace, review any repository names or task inputs before running progress/report scripts, and stop/clean up subagents when finished.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malicious or malformed repository value could make the local machine run commands beyond listing GitHub issues.
The script builds a shell command with an interpolated repository name. If repoName can come from user input or configuration, shell metacharacters could cause unintended local command execution.
const issues = execSync(`gh issue list --repo ${repoName} --limit 50`, { encoding: 'utf8' });Replace shell-string execSync with execFile/spawn using an argument array, and validate repository names with a strict owner/repo allowlist pattern.
If a GitHub token or logged-in gh session is present, the skill may operate using the user's GitHub identity without the registry making that credential dependency clear.
The code reads a GitHub token even though the registry metadata declares no required environment variables and no primary credential. Other scan evidence also shows GitHub CLI authenticated access via gh.
github: {
token: process.env.GITHUB_TOKEN,Declare the GitHub credential requirement, document the minimum scopes, bind actions to explicit repositories, and require confirmation before any write/mutation actions.
Subagents or queue processing could continue working on tasks after the initial request unless the user actively stops the controller.
The example enables automatic task processing and states the controller will continue running. This is disclosed and purpose-aligned, but it creates long-running autonomous behavior that needs explicit user control.
autoProcessQueue: true,
...
console.log('Controller will continue running and processing tasks...');Provide clear runtime limits, visible subagent/task status, per-task approval for high-impact actions, and documented stop/cleanup commands.
Task details or session content could be shared between agents or sent to configured notification channels.
The skill can send messages to agent sessions, read session history, and notify external channels. This is aligned with collaboration, but the artifacts do not fully define data boundaries for what may be sent.
sessions_send: 向 Agent 会话发送消息 - sessions_history: 获取会话历史 - message: 发送通知到多渠道(QQ、Telegram 等)
Review configured channels before use, avoid placing secrets in task descriptions, and require confirmation before forwarding sensitive session content externally.
Users may run package code and dependencies without registry-level install metadata describing what will be installed or executed.
The documentation instructs users to install and run a Node package, while the registry metadata lists no install spec and the source/homepage are unknown. This is a provenance and reviewability gap rather than direct malicious evidence.
npm install ... npm start
Inspect package.json/package-lock.json, install in an isolated project, and prefer a version with clear source provenance and declared install requirements.