GitHub发布
Security checks across malware telemetry and agentic risk
Overview
The skill is coherent, but it can use your logged-in GitHub account to create a public repository and publish local files without clear confirmation safeguards.
Install or use this only if you want the agent to publish files to GitHub through your logged-in browser. Make sure it asks before creating a repository, choose Public only intentionally, and review all files for secrets or private data before committing.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Files could be published publicly to GitHub, potentially exposing private code, secrets, or other local content if the wrong files are selected.
The browser workflow directs creation of a public GitHub repository and committing selected local files, but does not require a final user approval or sensitive-file check before public publication.
选择Public ... 选择本地文件或拖拽文件 ... 点击Commit changes
Before using it, require the agent to confirm the repository name, account, visibility, exact files, and commit message, and scan for secrets before clicking Commit changes.
Actions may be performed under the user's GitHub identity, including creating public repositories and publishing commits.
The skill relies on the user's existing logged-in GitHub browser session to create repositories and commit files, which is delegated account authority.
浏览器已登录GitHub账号即可
Use only in a browser session for the intended GitHub account, and require explicit approval before any repository creation or commit.