hhdfasf

PassAudited by ClawScan on May 1, 2026.

Overview

No material suspicious behavior was found; this is a simple GitHub CLI helper, but users should notice it relies on their local gh setup and can query account-scoped GitHub data.

Before installing, make sure the GitHub CLI is installed and authenticated only to accounts and repositories you are comfortable letting the agent query. Review any gh api command carefully, especially if it uses non-read methods or targets private repositories.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Low

#ASI02: Tool Misuse and Exploitation

What this means

If used too broadly, the agent could query more GitHub data than the user intended, though the provided examples are read-oriented.

Why it was flagged

This exposes a broad GitHub API interface, which is expected for the skill's purpose but should be used with specific endpoints and repository scope.

Skill content

The `gh api` command is useful for accessing data not available through other subcommands.

Recommendation

Use explicit repository names and review any gh api command before allowing state-changing methods or broad endpoint access.

Low

#ASI03: Identity and Privilege Abuse

What this means

The agent may be able to read private PR, workflow, or log information that the local GitHub CLI account can access.

Why it was flagged

Workflow run and log queries can expose repository information available to the GitHub identity configured for the gh CLI; this is aligned with the purpose but account-scoped.

Skill content

View logs for failed steps only:
```bash
gh run view <run-id> --repo owner/repo --log-failed
```

Recommendation

Authenticate gh only to GitHub accounts and repositories you are comfortable letting the agent query, and avoid using this skill for sensitive logs unless needed.

Info

#ASI04: Agentic Supply Chain Vulnerabilities

What this means

Users may not receive an accurate setup warning that the GitHub CLI is required.

Why it was flagged

The registry requirements declare no required binaries, but the skill instructions depend on gh being installed; this is a metadata/setup gap rather than hidden code.

Skill content

Use the `gh` CLI to interact with GitHub.

Recommendation

Confirm gh is installed and configured intentionally before using the skill.