Connect GitHub to Your OpenClaw Agent

TL;DR

To give your OpenClaw AI agent full GitHub access (push, PR, issues, private repos):

1. Toggle the GitHub skill on at openclawlaunch.com/dashboard/skills
2. Open the dashboard Terminal button on your instance card
3. Run gh auth login → pick GitHub.com → HTTPS → Login with web browser
4. Open github.com/login/device, paste the one-time code, approve
5. Verify with gh auth status

Total time: about 2 minutes. The OAuth token grants gist, read:org, repo, workflow scopes — enough for any agent workflow that touches GitHub.

Read-Only Token vs Full OAuth (Why Some Setups Fail)

The most common reason an AI agent can read a GitHub repo but cannot push is that the integration provisioned a temporary clone token instead of a full OAuth token. Here is the difference:

According to GitHub's official REST documentation and the gh auth login manual, the device-flow OAuth path is the recommended way to authenticate gh in interactive remote environments such as dev containers and AI agent sandboxes that have a human available to approve the device code. Fully unattended automation (CI runners, scripts) should use the GH_TOKEN environment variable instead. The official gh CLI repo at github.com/cli/cli has over 70,000 stars and is maintained by GitHub itself, making it the most stable command-line surface for agentic GitHub workflows.

What This Setup Does

The GitHub skill on OpenClaw Launch wires the official gh CLI into your agent's execution environment. Once you authorize it with your GitHub account, your agent can:

• Read public and private repositories you have access to
• Clone repos into the workspace and edit files
• Commit changes and git push to your branches
• Open, review, and merge pull requests
• Create and manage issues, labels, and milestones
• Watch CI runs and inspect workflow logs
• Manage releases and tags

Authentication uses GitHub's standard device-flow login, so your password and long-lived secrets never leave GitHub. The OAuth token gh stores in the container is scoped to your account and revocable from your GitHub settings any time.

Why You Need This (Read vs Write)

Some integrations — including a few popular agent toolkits — only give your agent a temporary clone token. Those tokens are read-only by GitHub design. They'll happily clone and read a repo, then return 403 Forbidden the moment your agent tries to git push. No amount of re-authorizing fixes it because the token type itself is the limit.

The GitHub skill takes a different path: it logs you in directly through gh auth login, which provisions a full-scope OAuth token (gist, read:org, repo, workflow). That token can push, PR, comment, label — everything your GitHub account can do.

Setup Steps

Step 1 — Toggle the GitHub Skill On

Go to openclawlaunch.com/dashboard/skills and find the GitHub skill (it's in the Development category). Make sure the dropdown at the top is set to the instance you want to give GitHub access to, then flip the toggle on. The skill installs into the running container in a few seconds — no restart needed.

Step 2 — Open the Instance Terminal

Go to openclawlaunch.com/dashboard, find the instance card for your bot, and click the Terminal button on it. A live shell opens straight into the container as the same user your agent runs as.

Step 3 — Run gh auth login

In the terminal, run:

gh auth login

At the prompts, choose:

• What account do you want to log into? — GitHub.com
• What is your preferred protocol for Git operations on this host? — HTTPS
• Authenticate Git with your GitHub credentials? — Yes
• How would you like to authenticate GitHub CLI? — Login with a web browser

Step 4 — Approve the One-Time Code

The terminal prints a one-time code that looks like XXXX-XXXX and tells you to open https://github.com/login/device. The terminal will also try to open your browser automatically and may print a harmless warning that no GUI browser was found in the container — that's expected; just open the URL on your own laptop or phone.

On that page:

• Paste the one-time code from the terminal
• Click Continue
• Review the permissions GitHub will grant (gist, read:org, repo, workflow) and click Authorize

Back in the terminal you'll see Authentication complete, Configured git protocol, and Logged in as <your-username>.

Step 5 — Verify

Confirm everything is wired up by running:

gh auth status

You should see something like:

github.com
  ✓ Logged in to github.com as <your-username>
  ✓ Git operations for github.com configured to use https protocol.
  ✓ Token: gho_*****************************
  ✓ Token scopes: gist, read:org, repo, workflow

Done. Tell your agent things like “list my open PRs” or “clone myfoo/bar repo, fix the typo on line 12 of README, and push it.” The agent uses the gh CLI under the hood and the changes show up in your GitHub account.

What You Can Ask the Agent To Do

• “List my open pull requests across all repos”
• “Clone owner/repo, run the test suite, and report what failed”
• “Update the README in my-project to mention the new feature, then push”
• “Open a PR with the changes and tag @reviewer”
• “Show the CI status of the latest commit on main”
• “Create an issue titled ‘Refactor auth flow’ with this body...”
• “Cut a release tag v1.4.2 with these notes...”

Token Login (Alternative)

If you can't use the device flow — for example, you're running an automated provisioning script and can't open a browser — you can paste a personal access token instead:

gh auth login --with-token

GitHub recommends classic personal access tokens (not fine-grained) for use with gh, because gh's commands assume the broader scope model and some operations behave unexpectedly with fine-grained scoping. Create a classic PAT at github.com/settings/tokens with these scopes:

• repo — full read/write on private repos
• workflow — required if the agent will edit .github/workflows/
• read:org — optional, for org-wide repo discovery

Treat the PAT as a long-lived secret: keep it in a password manager, and only regenerate it if it's been exposed publicly. Regenerating the PAT immediately invalidates the token gh stored, so plan to re-run gh auth login --with-token with the new token after any rotation.

Troubleshooting

“gh: command not found”

The GitHub skill installs gh as part of its setup. If your terminal reports command not found after toggling the skill on, the skill activation is still in flight or the toggle didn't take. Reload the dashboard, confirm the skill shows as Installed, and re-open the terminal. Ifgh --version still fails, contact support and we'll get it installed for you.

“Failed opening a web browser”

This is harmless. The container doesn't have a GUI browser, so gh tries and fails to launch one. Just open https://github.com/login/device on your own device and paste the code from the terminal manually. Authentication still works.

Push still returns 403 after gh auth login

Run gh auth status and confirm the token scopes include repo. If they don't, run gh auth refresh -s repo,workflow and complete the device-flow approval again. If scopes are correct but push still fails, the target repo may have branch protection on the branch you're pushing to — push to a feature branch and open a pull request instead.

The agent “forgets” it's logged in

gh auth login writes credentials into the workspace at ~/.config/gh/hosts.yml, which is persistent across container restarts. You shouldn't need to log in again. If your agent acts like it's not authenticated, ask it to run gh auth status in the shell — that usually surfaces the real issue.

I want to disconnect

Run gh auth logout in the terminal to clear the credential locally, and optionally revoke the OAuth grant from github.com/settings/applications for a clean break. Toggle the GitHub skill off on the dashboard if you also want to remove the gh CLI from the container.

Frequently Asked Questions

Does this expose my GitHub credentials to OpenClaw Launch?

No. The OAuth token gh stores lives inside your container only. The authorization happens on GitHub.com directly — you paste the device code into GitHub's site, and GitHub hands the token back to gh running in your container. OpenClaw Launch never sees your password or token.

What scopes does the GitHub skill need?

The default device-flow login provisions gist, read:org, repo, and workflow. The minimum needed for typical agent work is repo (read/write content on private repos) and workflow (edit workflow files). You can narrow scopes with gh auth refresh -s <scopes> if you want.

Can the agent push to a repo I don't own?

Yes, if your authenticated GitHub user has write access to that repo — for example, you're a collaborator or your org has granted you push rights. The token inherits exactly your permissions; nothing more.

Does this work with GitHub Enterprise?

Yes. When prompted by gh auth login, choose GitHub Enterprise Server instead of GitHub.com and provide your enterprise hostname. The rest of the flow is identical.

How is this different from a Composio GitHub connection?

A Composio-style integration calls GitHub through a proxy and, in some setups, hands your agent a temporary clone token that's read-only. The GitHub skill connects your agent directly to GitHub via gh with a full-scope OAuth token, so push and write operations work natively. Both can coexist if you also want to use Composio for non-Git GitHub actions.

Will my work persist if the container restarts?

Yes. gh's credentials, your cloned repos, and any local commits all live in the persistent workspace volume at /home/node/. They survive restarts and image upgrades.

What's Next?

• Open the Skills page — Toggle GitHub on for your instance
• OpenClaw skills overview — How skills work and how to manage them
• Best OpenClaw skills — Curated list of the most useful skills
• OpenClaw agent guide — Get the most out of your AI agent
• See pricing — Deploy with GitHub and other skills pre-configured, starting at $3/month