Is happydog-intj/github-passwordless-setup safe?

https://github.com/openclaw/skills/tree/main/skills/happydog-intj/github-passwordless-setup

74
CAUTION

This skill is a legitimate GitHub SSH and PAT authentication setup guide with no evidence of malicious intent, active exfiltration, or prompt injection. The primary security concerns are the prominent curl|bash one-liner that an LLM agent with shell access could execute against an unpinned remote URL, over-privileged PAT scope recommendations that expose delete and org-admin capabilities, and automated SSH key generation without passphrase protection. Installation is not recommended without user awareness that an agent may interpret documentation commands as execution directives.

Category Scores

Prompt Injection 83/100 · 30%
Data Exfiltration 79/100 · 25%
Code Execution 51/100 · 20%
Clone Behavior 91/100 · 10%
Canary Integrity 95/100 · 10%
Behavioral Reasoning 61/100 · 5%

Findings (7)

HIGH curl | bash one-liner executes remote unauthenticated code -35

Both SKILL.md and README.md present a curl|bash one-liner as the primary 'Quick Setup' path. The source URL (raw.githubusercontent.com/happydog-intj/github-passwordless-setup/master/setup.sh) is not pinned to a commit hash, meaning the content served can change at any time after this audit. An LLM agent with Bash tool access that interprets skill documentation as executable directives could run this command when a user asks to 'set up GitHub auth', downloading and executing arbitrary updated code in the user's shell session.

MEDIUM Executable bash commands embedded in documentation context create agent execution risk -17

The SKILL.md is designed to be injected into an LLM agent's system prompt. The document contains numerous bash command blocks (ssh-keygen, gh auth login, git remote set-url) that are intended as user-facing instructions but could be misinterpreted by an agent as directives to execute. The skill provides no explicit framing such as 'show these commands to the user' or 'do not execute these autonomously', increasing the risk of unsolicited shell execution.

MEDIUM Over-privileged PAT scope recommendations with no expiration -35

The skill's primary configuration guide recommends creating a GitHub PAT with repo (all sub-scopes), workflow, delete_repo, and admin:org permissions, and explicitly suggests 'No expiration' as the preferred setting. While a Security Best Practices section mentions minimum scopes, the prominent featured configuration is far beyond what is needed for basic passwordless git operations. A compromised token with these scopes can delete repositories and administer GitHub organizations.

MEDIUM Automated SSH key generation silently creates keys without passphrase -14

The automated setup.sh uses the -N "" flag to create an SSH key with an empty passphrase. The manual documentation mentions passphrases as 'optional but recommended', but the automated path silently skips passphrase protection. An agent executing this script creates an unprotected private key on disk that any local process can read and use to authenticate to GitHub.

LOW PAT token passes through agent context if agent executes setup steps -21

The gh auth login --with-token flow reads the token from stdin. If an LLM agent is executing setup steps interactively, the PAT value would appear in the agent's working context and conversation history before being consumed by the gh binary. This is a credential exposure risk specific to agent-mediated execution, not present when a human runs the script directly.

LOW setup.sh and verify.sh create public GitHub repositories as side effects -10

Both setup scripts create a public GitHub test repository (test-auth-verify-XXXXXX or test-auth-$(date +%s)) and then delete it. This makes a public repository visible on the user's GitHub profile momentarily, consumes API rate limits, and performs destructive actions (deletion) without per-run explicit user consent. If the deletion step fails, a public test repository is left on the user's account.

INFO Canary file accesses confirmed to be audit infrastructure only 0

The auditd PATH logs show accesses to .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and gcloud credentials at timestamps 1771936997.138-141 and 1771937014.740-741. Correlation with the process execution timeline confirms these are from the oathe audit system: the git clone (skill install) occurred at 1771937002.644, so the first batch precedes the install and the second follows it. No skill code references these paths. Canary integrity is confirmed clean.