中文 EN

Scan Report

Scan New Files

Low Risk — Risk Score 15/100
Last scan:1 day ago Rescan
15 /100
github-automation
Automate common GitHub tasks — create issues, check PR status, list repos, manage projects.
A straightforward GitHub API CLI with no hidden or malicious behavior; the only concern is disabled SSL verification for GitHub API requests, which has a plausible legitimate use case.
Skill Namegithub-automation
Duration29.1s
Enginepi
Safe to install
Re-enable SSL certificate verification by removing ctx.check_hostname and ctx.verify_mode overrides, or limit the SSL bypass to internal/CustomHTTPSBackend proxies only.

Findings 1 items

Severity Finding Location
Medium
SSL certificate verification disabled Sensitive Access
The SSL context used for GitHub API requests has check_hostname=False and verify_mode=ssl.CERT_NONE, disabling all server certificate validation. This exposes the GitHub token to interception via man-in-the-middle attacks on the network path to api.github.com.
ctx.check_hostname = False
ctx.verify_mode = ssl.CERT_NONE
→ Remove the two lines setting check_hostname and verify_mode, allowing Python's default certificate verification to run. If TLS inspection is required, validate the proxy certificate separately rather than disabling verification globally.
 scripts/gh_tool.py:30
ResourceDeclaredInferredStatusEvidence
Network READ READ ✓ Aligned urllib.request.urlopen to https://api.github.com, lines 32-63
Environment READ READ ✓ Aligned os.environ.get('GITHUB_TOKEN'), lines 14-20 — used for GitHub auth only
Shell NONE NONE No subprocess/os.system/eval calls found
Filesystem NONE NONE No file read/write operations in gh_tool.py

File Tree

2 files · 7.6 KB · 266 lines
Python 1f · 181L Markdown 1f · 85L
├─ 📁 scripts
│ └─ 🐍 gh_tool.py Python 181L · 5.9 KB
└─ 📝 SKILL.md Markdown 85L · 1.7 KB

Security Positives

✓ No shell execution (subprocess, os.system, eval) — code is purely a GitHub API client
✓ No credential exfiltration — GITHUB_TOKEN is read but never transmitted anywhere other than the official GitHub API
✓ No filesystem access declared or implemented
✓ No obfuscation (no base64, no exec/eval chains)
✓ SKILL.md accurately describes all functionality — no doc-to-code mismatch
✓ No supply-chain risk — no external dependencies, only stdlib
✓ Token is scoped to GitHub API only, with no network I/O to third-party hosts