:smirk_cat: gimmePATz :smirk_cat: - Personal Access Token (PAT) recon tool

Have you ever found a GitHub or a NPM personal access token (PAT) and wondered "Is this valid?" or "I wonder what a bad guy could do with this?" Well, if so, I've got the tool for you!

Introducing gimmePatz, a comprehensive reconnaissance tool for PATs. gimmePATz will tell you if a PAT is valid, and what kind of PAT it is. It provides information about the user account that created the PAT, including what organizations that user is part of and how many followers they have. gimmePATz will show you what scopes a PAT has and what variables or secrets the PAT has access to. gimmePATz will list what repositories, NPM packages or GitHub Organisations the PAT is attached to as well, and tell you exactly what permissions the PAT has to each resource. This tool is designed for offensive security practitioners, like bug bounty hunters, pentesters and red teams. By using this tool, you agree to use it in a legal context.

You can point gimmePATz at a file and it will find all the PATs in that file and let you know if they are valid. gimmepatz supports JSON output as well, so you can save the output in JSON, and/or pipe the output of gimmePATz into other tools like jq. You can see some examples of the different ways to use gimmePATz in the "Advanced Usage" section below.

Features

🔍 Token Validation - Verify if the GitHub or NPM PAT you found is valid and what does it have access to?
🔑 Permission Analysis - Detailed breakdown of token scopes with descriptions
👤 User Information - Details about the user that created the PAT
📁 Repository Discovery - Find all repositories attached to this PAT
☢️ Enumerate Variables & Secrets - Identify any GitHub Variables or Secrets the PAT has access to
📋 JSON Output - Machine-readable format for automation
🔒 Privacy Separation - Clearly distinguish between private and public repos
🏢 Organization Support - Tells you what organizations are attached to this PAT
⬇️ Download Repos/Packages - Download files and repos that are found

Basic Usage

gimmepatz.py TOKEN

Prerequisites

Python 3.6+
requests library # pip install requests
git (for repository downloading)

Advanced Usage

# Discover secrets and variables
gimmepatz.py TOKEN --variables

# Include organization repositories
gimmepatz.py TOKEN --org GITHUB_ORGANIZATION

# JSON output for scripting
gimmepatz.py TOKEN --json

# Combined: organization repos + JSON output
gimmepatz.py TOKEN --org GITHUB_ORGANIZATION --json

# Save the output of gimmePATz in JSON output to a file
gimmepatz.py TOKEN --variables --org target-org --json > assessment.json

# Download all accessible repositories
gimmepatz.py TOKEN --download

# Download only private repositories
gimmepatz.py TOKEN --download --download-type private

# Custom download location
gimmepatz.py TOKEN --download --download-path ./target-repos

# Scan a file to see if it has any PATs in it
gimmepatz.py --scan ./example-file.json

Installation

Clone or download the script

git clone https://github.com/6mile/gimmepatz.git
cd ./gimmepatz/ && chmod u+x ./gimmepatz.py

Command Line Options

| Option | Description | |--------|-------------| | --json | Output results in JSON format | | --variables, --var | Enumerate GitHub variables and secrets | | --var-target | Target scope: all, user, repo, org | | --var-name | Specific repository or organization name | | --download | Download all accessible repositories | | --download-path | Custom download directory (default: repos) | | --download-type | Filter: all, private, public | | --org | Include specific GitHub organization analysis | | --debug | Enable verbose debug output | | --scan | Scan local files for PATs |

Output Examples

       _                         ______  ___ _____
      (_)                        | ___ \/ _ \_   _|
  __ _ _ _ __ ___  _ __ ___   ___| |_/ / /_\ \| |____
 / _` | | '_ ` _ \| '_ ` _ \ / _ \  __/|  _  || |_  /
| (_| | | | | | | | | | | | |  __/ |   | | | || |/ /
 \__, |_|_| |_| |_|_| |_| |_|\___\_|   \_| |_/\_/___|
  __/ |
 |___/             "Personal Access Token recon tool"
 ----------------------------------------------------
                                           by @6mile

✅ Token is valid

👤 Authenticated as: octocat
   Name: Octocat Maclean
   Account type: User
   Public repos: 4
   Private repos: 3
   Followers: 9714
   Following: 731

🏢 Organization Memberships (2 total):
   👤 Space-Force-Beta (member)
      Name: Space-Force-Beta
      Description: Building cool stuff for space
      Public repos: 2
      Private repos: 1
      URL: https://github.com/Space-Force-Beta

   👑 ThrifyBank (admin)
      Description: The thriftiest Neo Bank in Kansas!
      Public repos: 1
      Private repos: 5
      URL: https://github.com/thrifybank-kansas

🔑 Token Scopes (14 total):
   • codespace:secrets
   • notifications
   • read:audit_log
   • read:discussion
   • read:enterprise
   • read:org
   • read:packages
   • read:project
   • read:public_key
   • read:repo_hook
   • read:user
   • repo
   • user:email
   • workflow

Scope Descriptions:
--------------------------------------------------
  repo: Full access to repositories
  user: Access to user profile information
  notifications: Access to notifications

📊 Rate Limit Status:
   Limit: 5000
   Remaining: 4999
   Reset time: 1234567890

📁 Accessible Repositories:
   Found 25 accessible repositories:
   • 15 private repositories
   • 10 public repositories

🔒 Private Repositories (9):

   📂 octocat (3 private repos):
      • octocat/internal-api (admin)
      • octocat/database (admin)
      • octocat/external-api (admin)

   📂 Space-Force-Beta (1 private repos):
      • Space-Force-Beta/destrukto-beam (admin)

   📂 ThriftyBank (5 private repos):
      • thriftybank-kansas/web (admin)
      • thriftybank-kansas/docker (admin)
      • thriftybank-kansas/database-int (admin)
      • thriftybank-kansas/bank-vault (admin)
      • thriftybank-kansas/SAAS-PORTAL (admin)

🔓 Public Repositories (7):

   📂 octocat (4 public repos):
      • octocat/sdk (admin)
      • octocat/helpdesk-docs (admin)
      • octocat/aws-sdk-helpers (admin)
      • octocat/stinkyCaptain (admin)

   📂 Space-Force-Beta (1 public repos):
      • Space-Force-Beta/destrukto-beam (admin)

   📂 thrifybank-kansas (1 public repos):
      • thrifybank-kansas/node-restify (admin)

JSON Output

{
  "token_valid": true,
  "user_info": {
    "login": "octocat",
    "name": "The Octocat",
    "type": "User",
    "id": 1
  },
  "scopes": ["repo", "user", "notifications"],
  "rate_limit": {
    "limit": 5000,
    "remaining": 4999,
    "reset": 1234567890
  },
  "repositories": {
    "total": 25,
    "private": [
      {
        "name": "mycompany/internal-api",
        "owner": "mycompany",
        "permissions": {
          "admin": true,
          "push": true,
          "pull": true
        },
        "url": "https://github.com/mycompany/internal-api"
      }
    ],
    "public": [
      {
        "name": "octocat/awesome-project",
        "owner": "octocat",
        "permissions": {
          "admin": true,
          "push": true,
          "pull": true
        },
        "url": "https://github.com/octocat/awesome-project"
      }
    ]
  },
  "summary": {
    "total_repos": 25,
    "private_count": 15,
    "public_count": 10,
    "owners": ["mycompany", "octocat"]
  }
}

Token Scopes Reference

| Scope | Description | |-------|-------------| | repo | Full access to repositories | | public_repo | Access to public repositories only | | repo:status | Access to commit status | | repo_deployment | Access to deployment statuses | | user | Access to user profile information | | user:email | Access to user email addresses | | user:follow | Access to follow/unfollow users | | admin:org | Full access to organization, teams, and memberships | | write:org | Write access to organization and teams | | read:org | Read access to organization and teams | | gist | Write access to gists | | notifications | Access to notifications | | workflow | Access to GitHub Actions workflows | | write:packages | Write access to GitHub packages | | read:packages | Read access to GitHub packages | | delete_repo | Delete access to repositories |

Security Best Practices

Never commit tokens to version control

Use environment variables for tokens

export TOKEN="your_token_here"
gimmepatz.py "$TOKEN"

Regularly audit your tokens using this tool
Use minimal required scopes for each token
Set expiration dates on your tokens when possible
Rotate tokens regularly as part of security hygiene

Troubleshooting

Common Issues

"Invalid token or network error"

Verify your token is correct and active
Check internet connectivity
Ensure the token hasn't expired

"No repositories found"

Token might have limited scopes
User might not have access to any repositories
Check if you need to include organization repositories with --org

Rate limit exceeded

Wait for the rate limit to reset
Use authenticated requests (this tool does automatically)
Check rate limit status in the output

Error Codes

200: Success
401: Bad credentials (invalid token)
403: Rate limit exceeded or insufficient permissions
404: Resource not found (user/organization doesn't exist)

Contributing

Contributions are welcome! Please feel free to submit a Pull Request. For major changes, please open an issue first to discuss what you would like to change.

License

This project is licensed under the MIT License - see the LICENSE file for details.

Gimmepatz

Install / Use

README