github-star-manager

Benign to moderately suspicious overall. The skill’s stated purpose (discovering, starring, and tracking GitHub repositories with a visual dashboard) aligns with its described capabilities and dependencies. However, the workflow involves handling GitHub PATs and OpenAI API keys, performing actions on the user’s GitHub account (starring repos, syncing updates), and sending project data to external services (OpenAI) for summarization. This creates potential credential exposure and data flow to external services. The absence of explicit security controls (scopes, least-privilege defaults, token handling best practices, and data minimization) elevates risk. The usage pattern matches a legitimate developer tool, but the combination of direct token-based actions, dashboards, and optional external AI processing warrants a cautious, suspicious rating until robust security controls (least privilege tokens, explicit user consent for bulk actions, in-app data minimization, and secure logging) are documented and enforced.