Is dannyshmueli/github-pat safe?

https://github.com/openclaw/skills/tree/main/skills/dannyshmueli/github-pat

77
CAUTION

The github-pat skill provides legitimate GitHub API access via PAT scopes but contains several compounding security weaknesses: the PAT is embedded in subprocess git URL arguments (leaking it to process listings), a blind 'git add -A' can accidentally commit secrets to remote repositories, and SKILL.md instructs the agent to persist the token in TOOLS.md where it is accessible to co-installed skills. No malicious prompt injection, attacker-controlled network endpoints, or canary file exfiltration was detected, and the install process was clean. The risks are operational security failures rather than intentional malice, but they create real credential exposure and data leakage vectors in production agent environments.

Category Scores

Prompt Injection 83/100 · 30%
Data Exfiltration 65/100 · 25%
Code Execution 78/100 · 20%
Clone Behavior 91/100 · 10%
Canary Integrity 83/100 · 10%
Behavioral Reasoning 62/100 · 5%

Findings (6)

HIGH GitHub PAT embedded in subprocess git URL arguments -25

Both cmd_clone and cmd_push construct git remote URLs with the PAT embedded in the authority component (https://[email protected]/...) and pass these as subprocess arguments. This makes the token visible in process listings (/proc/*/cmdline, ps aux output) to any user or process on the system with read access to /proc. In multi-user or containerized environments this is a meaningful credential leakage surface.

HIGH Blind 'git add -A' stages all files before push -20

The push command unconditionally stages every file in the working tree with 'git add -A' before committing. If the agent is operating in a directory containing .env files, private keys, database credentials, or other secrets, those will be silently included in the commit and pushed to GitHub. This is especially dangerous because the agent is unlikely to review staged files before executing the push workflow.

MEDIUM PAT storage in TOOLS.md creates cross-skill credential exposure -12

SKILL.md explicitly instructs the agent to store the PAT in TOOLS.md under a named section. TOOLS.md is part of the agent's persistent context and is readable by all co-installed skills. A second malicious skill could read TOOLS.md to harvest the PAT without the user's knowledge. This is a design-level credential management weakness, not a direct prompt injection, but it expands the attack surface significantly in multi-skill deployments.

MEDIUM Token-in-URL anti-pattern enables post-hoc credential harvesting -18

GitHub PATs embedded in git remote URLs are cached in git's credential store and may also persist in shell history, git reflog, or CI/CD audit logs. An attacker who later gains read access to any of these artifacts can recover a valid PAT long after the skill session ended. The combination of TOOLS.md persistence and URL-embedded tokens means the PAT has multiple long-lived exposure vectors.

LOW Commit message passed without validation to subprocess -5

The user-supplied commit message (args.message) is passed directly to 'git commit -m' as a subprocess list argument. While the list form of subprocess.run prevents shell injection, an attacker-controlled commit message containing newlines could corrupt git log output or trigger issues in downstream tooling that parses git log. Risk is low given list-form subprocess invocation.

INFO Canary credential files read in two batches during audit session 0

Six honeypot credential files were accessed at audit timestamp 1771930642.775 (pre-install) and again at 1771930665.960 (post-install). All reads were CLOSE_NOWRITE (read-only). The post-install batch timing and systematic ordering across all canary types (env, ssh key, aws creds, npmrc, docker, gcloud) strongly suggests this is oathe's own integrity verification routine rather than skill-originated reconnaissance. Canary integrity check confirms all files intact.