Skillv0.1.0

ClawScan security

github-mcp · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 27, 2026, 10:14 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's stated GitHub integration is plausible, but the runtime instructions require a GITHUB_TOKEN (and send it to a remote endpoint) even though the registry metadata declares no credentials — plus the recommended HTTP endpoint (api.githubcopilot.com) is unexpected — so the pieces are inconsistent and warrant caution.
Guidance: Do not install or use this skill until you verify two things: (1) confirm the correct, trusted endpoint for the MCP gateway — 'https://api.githubcopilot.com/mcp/' is unexpected for direct GitHub API operations; verify that domain is official and intended to receive your GITHUB_TOKEN, or prefer the local stdio server. (2) The skill requires a GITHUB_TOKEN at runtime but the registry metadata does not declare that credential — ask the publisher to declare any required env vars and explain where tokens are sent. If you proceed, prefer running a local github-mcp-server you downloaded from the official repo, restrict the token scopes to the minimum needed, and consider using an ephemeral token. If you cannot verify the endpoint and publisher, do not provide long-lived or broad-scope tokens to this skill. Additional information that would raise confidence to 'benign': an authoritative homepage/publisher, metadata declaring GITHUB_TOKEN as required, and confirmation that the HTTP endpoint is an official and audited gateway (or guidance to prefer only the local stdio server).

Review Dimensions

Purpose & Capability: concernName/description match the provided mcporter tool schema (repo/issue/PR/CI operations). However the skill metadata declares no required credentials or config, while the SKILL.md and tools reference explicitly require a GITHUB_TOKEN (or Authorization header). That mismatch (declared requirements vs runtime requirements) is incoherent.
Instruction Scope: concernSKILL.md instructs the agent/operator to add a remote HTTP MCP endpoint with an Authorization header containing ${GITHUB_TOKEN}, or to run a local stdio server. This means the skill will direct GitHub credentials to an endpoint (https://api.githubcopilot.com/mcp/) not documented in metadata. Instructions do not ask to read unrelated local files, but they do require transmitting a sensitive token to a remote host if using the HTTP option.
Install Mechanism: okNo install spec or code files — instruction-only skill — so nothing is automatically downloaded or executed by the registry. The SKILL.md suggests downloading a server from a GitHub releases page (legitimate pattern), or using an existing local binary; that is reasonable but relies on the operator to fetch and run external code.
Credentials: concernThe runtime clearly requires a GITHUB_TOKEN (sensitive credential) for all operations, yet the skill metadata lists no required env vars or primary credential. The skill also suggests sending that token to a remote domain (api.githubcopilot.com) instead of the standard GitHub API endpoint, which amplifies the risk if the domain is not a trusted/official host.
Persistence & Privilege: okNo elevated privileges requested in metadata (always:false). The skill is user-invocable and can be invoked autonomously by the agent (platform default), which is expected for skills. The skill does not request installation or modification of other skills.