Is read-github safe?
https://clawhub.ai/am-will/read-github
The read-github skill is a CLI wrapper around the gitmcp.io third-party MCP service for reading GitHub repository documentation. While it contains no direct malicious code, it presents significant security concerns: it auto-installs an unpinned npm package via 'npx -y', exposes arbitrary URL fetching and unrestricted MCP tool calling capabilities, and routes all queries through a third-party service with no transparency. The fetched documentation is processed as trusted LLM context, creating a vector for indirect prompt injection from malicious repositories.
Category Scores
Findings (10)
HIGH Unpinned npx -y auto-install of mcp-remote -35 ▶
The gitmcp.py script runs 'npx -y mcp-remote
HIGH Arbitrary URL fetching via fetch_generic_url_content -30 ▶
The skill exposes a 'fetch-url' command and documents a 'fetch_generic_url_content' MCP tool that fetches arbitrary URLs. This can be abused as an open proxy for SSRF or data exfiltration by encoding sensitive data in URL query parameters to an attacker-controlled endpoint. The agent could be tricked into using this through prompt injection in fetched documentation.
HIGH Generic MCP tool call command with no restrictions -15 ▶
The 'call' subcommand allows invoking any MCP tool by name with arbitrary JSON arguments. This provides unconstrained access to whatever tools the gitmcp.io MCP server exposes, including potential future tools that may have dangerous capabilities. There is no allowlist or validation of tool names.
MEDIUM Third-party service dependency with no transparency -25 ▶
All requests are routed through gitmcp.io, a third-party service. Users have no visibility into what data gitmcp.io collects, logs, or does with the repository queries. This creates a privacy risk and a single point of failure/compromise.
MEDIUM Fetched documentation processed as trusted content -30 ▶
When the agent fetches documentation from a repository via this skill, the returned content is processed by the LLM as part of its context. A malicious repository could embed prompt injection payloads in its README or docs that would be executed when a user asks the agent to read that repo's documentation.
MEDIUM Persuasive language nudges agent behavior -10 ▶
The skill description uses assertive marketing language ('the RIGHT way', 'Stop pasting raw GitHub URLs', 'zero hallucinations', 'not raw HTML/JSON garbage') designed to make the agent preferentially route GitHub requests through this skill rather than using native tools. While not a direct prompt override, this behavioral nudging reduces user control.
LOW No input validation on repo path -10 ▶
The convert_github_to_gitmcp() function performs a simple string replacement with no URL validation. While subprocess.Popen uses list arguments (avoiding shell injection), a crafted repo path could produce unexpected URLs passed to npx/mcp-remote.
LOW Sensitive file access during install phase -15 ▶
Filesystem monitoring detected access to .env, .aws/credentials, and openclaw configuration files during the install phase. These appear to be from the openclaw platform runtime rather than the skill itself, but the access pattern warrants noting.
INFO Skill instructs agent to use specific workflow -5 ▶
The Workflow section instructs the agent to 'first fetch documentation' when given a GitHub repo, establishing a default behavior pattern. This is standard for utility skills but means the agent will automatically make network requests when processing GitHub URLs.
INFO All canary files intact 0 ▶
No honeypot files were accessed or modified during the skill installation and analysis. This is a positive indicator.