github

The GitHub Skill presents a coherent and proportionate toolset for performing GitHub operations via Python scripts with structured output. The footprint is consistent with the stated purpose (avoid raw gh, provide robust output and error handling). The main security considerations hinge on credential management (tokens needed to access GitHub) and dependency provenance. No evident download-execute supply chain or credential-forwarding to unknown binaries is described. Overall, the skill appears benign to moderately risky (expected credential handling and mutating GitHub actions), deserving normal trust with proper credential governance and dependency sourcing.

No explicit malware or obfuscated payloads found in this skill specification. The primary security concern is the autonomous commit-and-push behavior without approval or path restrictions, and the execution of repository code during local validation — both create supply-chain risks that could be abused to inject malicious code or leak secrets. Recommend mitigating controls: require human approval for pushes to protected branches, restrict editable file paths, use least-privilege tokens, add commit review/audit logging, and sanitize or sandbox local validation execution.