github-auth

Warn

Audited by Gen Agent Trust Hub on May 16, 2026

Risk Level: MEDIUMCREDENTIALS_UNSAFEDATA_EXFILTRATIONCOMMAND_EXECUTION
Full Analysis
  • [CREDENTIALS_UNSAFE]: The skill recommends using git config --global credential.helper store, which causes GitHub authentication tokens to be saved in plaintext on the local file system at ~/.git-credentials.
  • [CREDENTIALS_UNSAFE]: Documentation in the skill suggests embedding Personal Access Tokens directly into Git remote URLs, which results in the exposure of these secrets in plaintext within the repository's .git/config file.
  • [DATA_EXFILTRATION]: Both SKILL.md and scripts/gh-env.sh access sensitive file paths including ~/.git-credentials, ~/.ssh/id_ed25519, and ~/.hermes/.env to retrieve authentication data.
  • [DATA_EXFILTRATION]: The skill implements programmatic logic to scrape and extract sensitive tokens from the ~/.git-credentials file using shell commands like grep and sed.
  • [COMMAND_EXECUTION]: The skill performs various system-level configuration changes, such as modifying global Git identity settings and generating new SSH keys.
Audit Metadata
Risk Level
MEDIUM
Analyzed
May 16, 2026, 01:45 PM
Security Audit — agent-trust-hub — github-auth