gh-issues
Fetch GitHub issues, spawn sub-agents to implement fixes and open PRs, then monitor and address PR review comments. Usage: /gh-issues [owner/repo] [--label bug]
Security score
The gh-issues skill was audited on Feb 28, 2026 and we found 26 security issues across 4 threat categories. Review the findings below before installing.
Categories Tested
Security Issues
Template literal with variable interpolation in command context
| 386 | ``` |
Template literal with variable interpolation in command context
| 750 | ``` |
Curl to non-GitHub URL
| 210 | curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer $GH_TOKEN" https://api.github.com/user |
Curl to non-GitHub URL
| 646 | curl -s -H "Authorization: Bearer $GH_TOKEN" https://api.github.com/user | jq -r '.login' |
Access to hidden dotfiles in home directory
| 82 | cat ~/.openclaw/openclaw.json | jq -r '.skills.entries["gh-issues"].apiKey // empty' |
Access to hidden dotfiles in home directory
| 117 | > "GitHub authentication failed. Please check your apiKey in the OpenClaw dashboard or in ~/.openclaw/openclaw.json under skills.entries.gh-issues." |
Access to hidden dotfiles in home directory
| 215 | > "GitHub authentication failed. Please check your apiKey in the OpenClaw dashboard or in ~/.openclaw/openclaw.json under skills.entries.gh-issues." |
Access to hidden dotfiles in home directory
| 349 | GH_TOKEN=$(cat ~/.openclaw/openclaw.json 2>/dev/null | jq -r '.skills.entries["gh-issues"].apiKey // empty') || GH_TOKEN=$(cat /data/.clawdbot/openclaw.json 2>/dev/null | jq -r '.skills.entries["gh-is |
Access to hidden dotfiles in home directory
| 384 | export GH_TOKEN=$(cat ~/.openclaw/openclaw.json 2>/dev/null | node -e "const fs=require('fs');const d=JSON.parse(fs.readFileSync(0,'utf8'));console.log(d.skills?.entries?.['gh-issues']?.apiKey||'')") |
Access to hidden dotfiles in home directory
| 717 | GH_TOKEN=$(cat ~/.openclaw/openclaw.json 2>/dev/null | jq -r '.skills.entries["gh-issues"].apiKey // empty') || GH_TOKEN=$(cat /data/.clawdbot/openclaw.json 2>/dev/null | jq -r '.skills.entries["gh-is |
External URL reference
| 101 | "https://api.github.com/repos/{SOURCE_REPO}/issues?per_page={limit}&state={state}&{query_params}" |
External URL reference
| 192 | git remote add fork https://x-access-token:[email protected]/{PUSH_REPO}.git |
External URL reference
| 210 | curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer $GH_TOKEN" https://api.github.com/user |
External URL reference
| 222 | "https://api.github.com/repos/{SOURCE_REPO}/pulls?head={PUSH_REPO_OWNER}:fix/issue-{N}&state=open&per_page=1" |
External URL reference
| 238 | "https://api.github.com/repos/{PUSH_REPO}/branches/fix/issue-{N}" |
External URL reference
| 430 | git remote set-url {PUSH_REMOTE} https://x-access-token:[email protected]/{PUSH_REPO}.git |
External URL reference
| 449 | https://api.github.com/repos/{SOURCE_REPO}/pulls \ |
External URL reference
| 594 | "https://api.github.com/repos/{SOURCE_REPO}/pulls?state=open&per_page=100" |
External URL reference
| 611 | "https://api.github.com/repos/{SOURCE_REPO}/pulls/{pr_number}/reviews" |
External URL reference
| 618 | "https://api.github.com/repos/{SOURCE_REPO}/pulls/{pr_number}/comments" |
External URL reference
| 625 | "https://api.github.com/repos/{SOURCE_REPO}/issues/{pr_number}/comments" |
External URL reference
| 636 | "https://api.github.com/repos/{SOURCE_REPO}/pulls/{pr_number}" |
External URL reference
| 646 | curl -s -H "Authorization: Bearer $GH_TOKEN" https://api.github.com/user | jq -r '.login' |
External URL reference
| 778 | git remote set-url {PUSH_REMOTE} https://x-access-token:[email protected]/{PUSH_REPO}.git |
External URL reference
| 787 | https://api.github.com/repos/{SOURCE_REPO}/pulls/{pr_number}/comments/{comment_id}/replies \ |
External URL reference
| 794 | https://api.github.com/repos/{SOURCE_REPO}/issues/{pr_number}/comments \ |