Back to skill

Security audit

GitHub Skills Assistant

Security checks across malware telemetry and agentic risk

Overview

This is a real GitHub assistant skill, but it can make lasting GitHub changes with a token and exposes an under-documented pull request action without built-in confirmation.

Install only if you want an assistant to use your GitHub token for both read and write actions. Prefer a narrowly scoped token, avoid full private-repo access unless needed, review the configured token storage, and manually confirm any issue, repository, or pull request creation before allowing the action to run.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (9)

Lp3

Medium
Category
MCP Least Privilege
Confidence
82% confidence
Finding
The skill declares access to environment/config-held GitHub credentials and clearly performs networked actions against GitHub, but it does not declare explicit permissions governing those capabilities. In an agent ecosystem, missing permission declarations can undermine policy enforcement and informed user consent, especially for a skill that can both read data and perform write operations such as creating issues or repositories.

Tp4

High
Category
MCP Tool Poisoning
Confidence
88% confidence
Finding
The skill description presents a limited set of repository-management behaviors, but the detected behavior includes additional state-changing or broader actions such as creating repositories and pull requests. This mismatch is dangerous because users and security controls may authorize the skill based on an incomplete understanding of what it can do, enabling unexpected writes to GitHub resources.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README advertises `Create Issues` and `Create Repos` as available actions but does not clearly warn that these operations make persistent changes to the user's GitHub account and repositories. In an agentic context, insufficient disclosure around write-capable actions increases the risk of unintended state-changing operations triggered by ambiguous prompts or user misunderstanding.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README instructs users to place a GitHub token in `~/.openclaw/openclaw.json`, which is plaintext credential storage, without strong warning about local file disclosure risk, backups, permissions, or malware/user-access exposure. Although local config storage can be common, documenting it as a supported option without emphasizing secure file permissions or using a credential store normalizes unsafe secret handling.

Vague Triggers

Low
Confidence
66% confidence
Finding
The usage examples show broad natural-language requests like 'Create an issue about the bug' without any activation boundaries, repository disambiguation, or confirmation step. In agent settings, vague triggers can cause unintended invocation or action on the wrong repository, particularly when the skill supports write operations.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The function creates a GitHub repository immediately via a POST to /user/repos with no built-in confirmation, dry-run mode, or guardrail separating read-only from write-capable actions. In an agent skill, this is dangerous because an LLM or prompt injection could trigger unintended state-changing operations on the user's GitHub account, causing unauthorized repo creation, visibility mistakes, or clutter/resource abuse.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
This function opens a pull request through a direct POST request without any user-facing approval checkpoint. In the context of an agent-integrated GitHub skill, that enables unintended code workflow changes if the model is manipulated or acts on ambiguous instructions, potentially creating misleading PRs, triggering CI, or disrupting development processes.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The issue-creation path performs a state-changing POST to GitHub using the configured token, but there is no confirmation, approval gate, or policy check before submission. In an agent setting this can be abused by prompt injection or mistaken interpretation to spam repositories, leak sensitive text into issue bodies, or create unauthorized tickets under the user's identity.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill interface exposes state-changing GitHub actions such as repository, issue, and pull request creation, but the declaration provides no indication of explicit user confirmation, write-operation warning, or permission gating. In an agent context, this increases the risk of unintended or prompt-induced mutations to a user's GitHub account or repositories, especially because GitHub actions can have durable public or organizational effects.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.