github-auth
Warn
Audited by Gen Agent Trust Hub on May 16, 2026
Risk Level: MEDIUMCREDENTIALS_UNSAFEDATA_EXFILTRATIONCOMMAND_EXECUTION
Full Analysis
- [CREDENTIALS_UNSAFE]: The skill recommends using
git config --global credential.helper store, which causes GitHub authentication tokens to be saved in plaintext on the local file system at~/.git-credentials. - [CREDENTIALS_UNSAFE]: Documentation in the skill suggests embedding Personal Access Tokens directly into Git remote URLs, which results in the exposure of these secrets in plaintext within the repository's
.git/configfile. - [DATA_EXFILTRATION]: Both
SKILL.mdandscripts/gh-env.shaccess sensitive file paths including~/.git-credentials,~/.ssh/id_ed25519, and~/.hermes/.envto retrieve authentication data. - [DATA_EXFILTRATION]: The skill implements programmatic logic to scrape and extract sensitive tokens from the
~/.git-credentialsfile using shell commands likegrepandsed. - [COMMAND_EXECUTION]: The skill performs various system-level configuration changes, such as modifying global Git identity settings and generating new SSH keys.
Audit Metadata