Read GitHub repos the RIGHT way - via gitmcp.io instead of raw scraping. Why this beats web search: (1) Semantic search across docs, not just keyword matching, (2) Smart code navigation with accurate file structure - zero hallucinations on repo layout, (3) Proper markdown output optimized for LLMs, not raw HTML/JSON garbage, (4) Aggregates README + /docs + code in one clean interface, (5) Respects rate limits and robots.txt. Stop pasting raw GitHub URLs - use this instead.
Security Analysis
medium confidenceThe skill's code and instructions broadly match its stated purpose (using a gitmcp.io MCP service to read repos), but it delegates work to an external service and invokes npx at runtime without pinning — behaviour that could expose repo contents or arbitrary URLs to a third party and execute unpinned code from npm.
The skill's name/description (read GitHub via gitmcp.io) matches what the script does: convert GitHub paths to gitmcp.io and call MCP tools. Minor mismatches: the README claims things like "respects rate limits and robots.txt" and "uses GitHub Search API" but the local code does not enforce robots.txt or call GitHub directly — those responsibilities are deferred to the remote gitmcp service.
SKILL.md instructs the agent to send repo identifiers and arbitrary URLs to remote MCP tools (e.g., fetch-url), but never warns that those inputs will be transmitted to gitmcp.io. The tool can cause the remote service to fetch arbitrary URLs (potentially internal or sensitive links). The instructions give broad discretion to call arbitrary tools on the remote MCP server, which expands the blast radius beyond simply reading public docs.
There is no install spec, but the included script calls `npx -y mcp-remote <mcp_url>` at runtime. That invokes and executes code fetched from the npm registry on each run (un-pinned, auto-accepted with -y). Running unpinned, remote npm code at runtime increases risk (supply-chain / arbitrary code execution) and is a material installation/operation risk not documented in SKILL.md.
The skill requests no environment variables or credentials (which is proportionate). However, because all requests are forwarded to an external service, sensitive repo contents or referenced URLs could be transmitted to gitmcp.io without local controls or explicit consent. The lack of any credential requirement means private repo access is likely unsupported, but also means users may unintentionally leak public-but-sensitive or internal URLs.
The skill does not request persistent/always-on presence and does not modify other skills or system settings. It runs only when invoked and does not declare elevated platform privileges.
Guidance
This skill delegates repo reading to an external service (gitmcp.io) and runs `npx -y mcp-remote` to talk to that service. Before installing or using it, consider: (1) Do not send private repositories or internal URLs — the service will receive the repo path and any URLs you pass (risk of data exposure). (2) The script executes unpinned npm code at runtime (npx -y); that can run arbitrary remote code — prefer a pinned, audited package or a local implementation. (3) Ask the publisher for the service homepage, privacy/security policy, and the source of the mcp-remote npm package; absence of these is a red flag. (4) If you must try it, run it in an isolated environment (sandbox/container) and avoid passing secrets or internal endpoints. (5) If you need a lower-risk option, prefer tools that call GitHub APIs directly with an explicit token you control, or host a trusted instance of the MCP service.
Latest Release
v1.0.1
Improved description - explains why gitmcp.io beats raw GitHub scraping
More by @am-will
Published by @am-will on ClawHub
