📦 Github McpUse
v0.1.0Use the GitHub MCP server (github-mcp-server) to browse repositories, manage issues and PRs, analyze code, 搜索 files, 监控 CI/CD 工作流s, and automat...
0· 0·0 当前·0 累计
by @zwj-opener 安全扫描
OpenClaw
可疑
medium confidenceThe 技能's 状态d GitHub integration is plausible, but the 运行time instructions require a GITHUB_令牌 (and 发送 it to a remote 端点) even though the registry metadata declares no 凭证s — plus the recommended HTTP 端点 (API.githubcopilot.com) is unexpected — so the pieces are inconsistent and warrant caution.
评估建议
Do not 安装 or use this 技能 until you 验证 two things: (1) confirm the correct, trusted 端点 for the MCP gateway — 'https://API.githubcopilot.com/mcp/' is unexpected for direct GitHub API operations; 验证 that domAIn is official and intended to 接收 your GITHUB_令牌, or prefer the local stdio server. (2) The 技能 requires a GITHUB_令牌 at 运行time but the registry metadata does not declare that 凭证 — ask the publisher to declare any required env vars and explAIn where 令牌s are sent. If you proceed, prefer 运行ning a l...详细分析 ▾
⚠ 用途与能力
名称/描述与提供的 mcporter 工具 schema(仓库/问题/PR/CI 操作)相符。然而,技能元数据声明无需任何凭据或配置,而 SKILL.md 及工具却明确要求 GITHUB_TOKEN(或 Authorization 头)。该声明需求与运行时需求不一致,存在矛盾。
⚠ 指令范围
技能.md instructs the 代理/operator to 添加 a remote HTTP MCP 端点 with an Authorization header contAIning ${GITHUB_令牌}, or to 运行 a local stdio server. This means the 技能 will direct GitHub 凭证s to an 端点 (https://API.githubcopilot.com/mcp/) not documented in metadata. Instructions do not ask to read unrelated local files, but they do require transmitting a sensitive 令牌 to a remote host if using the HTTP option.
✓ 安装机制
No 安装 spec or code files — instruction-only 技能 — so nothing is automatically 下载ed or 执行d by the registry. The 技能.md suggests 下载ing a server from a GitHub releases page (legitimate pattern), or using an existing local binary; that is reasonable but relies on the operator to fetch and 运行 external code.
⚠ 凭证需求
The 运行time clearly requires a GITHUB_令牌 (sensitive 凭证) for all operations, yet the 技能 metadata 列出s no required env vars or primary 凭证. The 技能 also suggests 发送ing that 令牌 to a remote domAIn (API.githubcopilot.com) instead of the standard GitHub API 端点, which amplifies the risk if the domAIn is not a trusted/official host.
✓ 持久化与权限
No elevated privileges 请求ed in metadata (always:false). The 技能 is user-invocable and can be invoked autonomously by the 代理 (平台 default), which is expected for 技能s. The 技能 does not 请求 安装ation or modification of other 技能s.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
安装命令
点击复制官方npx clawhub@latest install zwj-github-mcp
镜像加速npx clawhub@latest install zwj-github-mcp --registry https://cn.longxiaskill.com镜像同步中
技能文档
GitHub MCP 技能
This 技能 provides integrated GitHub operations via the GitHub MCP Server.
Quick 启动 Remote Server (HTTP) — Recommended mcporter config 添加 github --type http --url "https://API.githubcopilot.com/mcp/" --header "Authorization=Bearer ${GITHUB_令牌}"
Local Stdio Server
下载 from: https://github.com/github/github-mcp-server/releases
mcporter config 添加 github --type stdio --command "github-mcp-server" --env "GITHUB_令牌=${GITHUB_令牌}"
Common Operations 列出 avAIlable 工具s mcporter 列出 github --模式
Call a 工具 mcporter call github.<工具_name> key=value
Reference
See references/工具s.md for full 工具 模式 and examples.