THRONE
See report Verify server

registry / record

github.com/github/github-mcp-server

github / sealed 2026-06-12 / No. d943f1d5

re-scan this server gate it in your CI
> throne registry github.com/github/github-mcp-server sealed
This target couldn't be started as an MCP serverno package.json or pyproject.toml at the repository root — Throne can launch Node (npm/pnpm/yarn) and Python (uv) projects
receiptsealed evidence
scan id
d943f1d5907e4af68dfecba882d4f214
target
https://github.com/github/github-mcp-server
sealed at
2026-06-12 06:57:06Z
evidence hash
sha256:535e3adf3d8acce07ea12419ea0a53c70ac5d21024234a4d7de4b5d7a6279963
01connectFAIL0ms

server never launched: no package.json or pyproject.toml at the repository root — Throne can launch Node (npm/pnpm/yarn) and Python (uv) projects

02discoverSKIPPED0ms

not run — server never launched

03validate_schemasSKIPPED0ms

not run — server never launched

04smoke_test_toolsSKIPPED0ms

not run — server never launched

05error_handlingSKIPPED0ms

not run — server never launched

06streamingSKIPPED0ms

not run — server never launched

07resource_lifecycleSKIPPED0ms

not run — server never launched

08concurrent_callsSKIPPED0ms

not run — server never launched

09reconnectSKIPPED0ms

not run — server never launched

01connectFAIL0ms

server never launched: no package.json or pyproject.toml at the repository root — Throne can launch Node (npm/pnpm/yarn) and Python (uv) projects

02discoverSKIPPED0ms

not run — server never launched

03validate_schemasSKIPPED0ms

not run — server never launched

04smoke_test_toolsSKIPPED0ms

not run — server never launched

05error_handlingSKIPPED0ms

not run — server never launched

06streamingSKIPPED0ms

not run — server never launched

07resource_lifecycleSKIPPED0ms

not run — server never launched

08concurrent_callsSKIPPED0ms

not run — server never launched

09reconnectSKIPPED0ms

not run — server never launched

chatgpt desktopemulation profile pending real-traffic captureCOMING SOON
SECURITY: REVIEW / 6 finding(s) / review material, not a verdict
MEDIUMTHR-SECRET-02 / Hardcoded secrets or tokens in source

Token assigned a literal value 0123… (40 chars) — verify it is not a live credential

github-mcp-server-HEAD/pkg/http/middleware/pat_scope_test.go:102
LOWTHR-NET-05 / Hardcoded outbound endpoints

13 non-local endpoint host(s) referenced in code — verify each is expected for this server's purpose: api (github-mcp-server-HEAD/pkg/utils/api.go:108), api.githubcopilot.com (github-mcp-server-HEAD/cmd/github-mcp-server/generate_docs.go:371), avatars.githubusercontent.com (github-mcp-server-HEAD/pkg/github/ui_resources.go:37), docs.github.com (github-mcp-server-HEAD/pkg/github/copilot.go:161), hostname (github-mcp-server-HEAD/pkg/utils/api.go:167), insiders.vscode.dev (github-mcp-server-HEAD/cmd/github-mcp-server/generate_docs.go:371), primer.style (github-mcp-server-HEAD/pkg/github/tools.go:19), raw (github-mcp-server-HEAD/pkg/utils/api.go:123), raw.hostname (github-mcp-server-HEAD/pkg/utils/api.go:176), spec.graphql.org (github-mcp-server-HEAD/internal/githubv4mock/query.go:75), uploads (github-mcp-server-HEAD/pkg/utils/api.go:118), uploads.github.com (github-mcp-server-HEAD/pkg/utils/api.go:72), uploads.hostname (github-mcp-server-HEAD/pkg/utils/api.go:164)

github-mcp-server-HEAD/cmd/github-mcp-server/generate_docs.go:371
MEDIUMTHR-PROMPT-07 / Prompt injection via tool descriptions

injection-style phrase in source string: 'do not tell the user'

github-mcp-server-HEAD/pkg/github/issues.go:1943
MEDIUMTHR-PROMPT-07 / Prompt injection via tool descriptions

injection-style phrase in source string: 'do not tell the user'

github-mcp-server-HEAD/pkg/github/pullrequests.go:696
LOWTHR-VER-11 / Outdated MCP SDK or protocol version pin

obsolete protocol version string '2024-11-05' in source

github-mcp-server-HEAD/cmd/mcpcurl/main.go:467
LOWTHR-VER-11 / Outdated MCP SDK or protocol version pin

obsolete protocol version string '2024-11-05' in source

github-mcp-server-HEAD/cmd/mcpcurl/main_test.go:151
VERDICT: INCONCLUSIVESANDBOXED RUN — submitted server executed in a disposable microVM — compatibility not assessable: server never launched: no package.json or pyproject.toml at the repository root — Throne can launch Node (npm/pnpm/yarn) and Python (uv) projects / security: review — 6 finding(s), 0 highsealed by THRONE / No. d943f1d5 / 2026-06-12
executed in a disposable microVM, created for this scan and destroyed after it. nothing outlives a run.

maintainer of this server? challenge this record: hello@usethrone.dev. tell us what we got wrong and we re-run it in the open.

this page renders the stored record of a real run. nothing on it is asserted without the execution that proved it.