M MCPowered Scan a server
DirectoryRegistrySecurityInstallLearnBuild Scan a server

Server

GitHub

Published by github. Transport: stdio + HTTPS. Written in typescript.

Cross-source (2 sources)
View source on GitHub Scan status Methodology

Description

Description below is sourced from the LF AAIF MCP registry. MCPowered surfaces the publisher's own words; the publisher is the warrantor of any claims they make.

Connect AI assistants to GitHub - manage repos, issues, PRs, and workflows through natural language.

Tags

Integrates with GitHub

Tags are derived deterministically from the server's name and description. They drive the filter UI on the catalog directory and the per-target comparison pages.

Provenance

Server id
github/github/github-mcp-server
Repository
github/github-mcp-server
Package
oci:ghcr.io/github/github-mcp-server:1.0.4
Surfaced by
awesome-mcp-servers , LF AAIF registry
Category
Version Control

Scan status

Code axis
82 / 100
Higher is fewer findings; see how the code axis is computed.

Last scanned

Source hash d9c1a0a03037

Total findings 4 · 0 critical · 2 warning · 2 informational

Checks run Tool description scan , Tool output literal scan , Dependency CVE check , Permission audit

Findings

  • warning permission_audit methodology

    cmd/github-mcp-server/feature_flag_docs.go:138

    Matched os.WriteFile

    Suggested action The server writes to the filesystem. Verify the server documents which paths it touches.

    Patterns fs-write

  • warning permission_audit methodology

    internal/ghmcp/server.go:37

    Matched http.Client

    Suggested action The server makes outbound network calls. Verify the documented destination list matches.

    Patterns network-out

  • informational permission_audit methodology

    cmd/mcpcurl/main.go:388

    Matched exec.Command

    Suggested action The server spawns subprocesses. Review whether this matches the server's documented purpose.

    Patterns subprocess

  • informational permission_audit methodology

    cmd/github-mcp-server/feature_flag_docs.go:130

    Matched os.ReadFile

    Suggested action The server reads from the filesystem. Verify the server documents which paths it accesses.

    Patterns fs-read

What we couldn't check

  • dynamic_tool_descriptions

    Static analysis only sees descriptions hardcoded in source. Servers that compute descriptions at runtime (server-generated tools/list responses) are not covered by Check 1 at v0.

  • ast_indirection

    v0 regex sees only literal description strings. Descriptions assembled by concatenation or pulled through variable indirection evade detection until AST-level extraction lands in v1.

Install configuration

Universal install-config generation across agent clients (Claude Code, Cursor, Windsurf, ChatGPT Apps, Continue, Cline, Zed) is a v0 deliverable. For now, install per the publisher's repository instructions linked above. The auto-generated client-specific configuration block lands here when the install-config generator ships.

Disclaimer

Scan results describe what our static checks found and didn't find at the time of scan. They are not a recommendation, certification, or guarantee. A scanned-clean result is the absence of evidence of malice, not the presence of evidence of integrity. Servers can be compromised after scan. You are responsible for evaluating whether to install any MCP server. See our methodology for what we check, what we can't check, and the limits of static analysis.

MCPowered

Read the methodology · Appeal a finding · Browse the catalog