🤖 GitHub自动管家
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill claims broad GitHub automation without an API key, but it does not explain what account authority it will use or how high-impact actions will be limited or approved.
Do not let this skill operate on important repositories until it clearly documents how it authenticates to GitHub, what scopes it needs, which repositories it can touch, and when it must ask for confirmation. If testing, use a throwaway repository and a least-privilege credential.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If an agent applies this skill broadly, it could change repository content, PRs, issues, or CI/CD behavior without clear guardrails.
The skill advertises broad automation over GitHub repositories, pull requests, issues, and CI/CD, but the artifact does not describe allowed operations, confirmation requirements, repository boundaries, or rollback controls.
description: 自动化管理GitHub仓库、PR、Issue、CI/CD。无需API Key,安装即用。
Use only with explicit user confirmation for each GitHub-changing action, and require the skill to document exact allowed operations, target repositories, and rollback steps.
The skill may rely on an existing GitHub login, token, or delegated account access without making the privilege scope clear to the user.
The registry says no credential is declared, but the capability signal indicates sensitive credentials are needed; combined with GitHub account automation, the artifacts do not clearly state what identity, token, session, or permission scope would be used.
Primary credential: none; Required env vars: none; Capability signals: requires-sensitive-credentials
Require an explicit authentication method, minimal GitHub scopes, per-repository limits, and visible approval before any account-changing operation.
Users may trust the skill more than they should and allow GitHub actions without understanding how authentication and permissions are handled.
The 'no API key, install and use' claim may lead users to underestimate account-access risk for a skill that claims it can manage GitHub repositories and CI/CD.
> 无需APIKey,安装即用。
Treat the no-key claim as unresolved until the skill clearly explains whether it uses browser sessions, platform credentials, OAuth, public-only access, or another bounded mechanism.
It is harder to verify who maintains the skill or whether future versions are trustworthy.
There is limited provenance information for a skill that claims high-impact GitHub automation, though no runnable code or install-time dependency is present in the provided artifacts.
Source: unknown; Homepage: none
Prefer skills with a clear source repository, documented maintainer, and reviewable implementation before granting GitHub authority.