ClawHub

Doro Git Essentials

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only Git reference skill with some risky Git examples, but no hidden execution, data theft, or unrelated behavior.

Safe to install as a Git command reference, but treat it as a cheat sheet rather than advice to run every command. Be careful with git reset --hard, git clean -fdx, branch or tag deletion, and force pushes; check git status and git diff first, make backups or a safety branch when needed, and coordinate before rewriting shared history.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (6)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill documents destructive commands like `git reset --hard` without an immediate, explicit warning that they permanently discard uncommitted work and can remove recovery options for inexperienced users. In a command-oriented agent skill, presenting such commands as routine workflow steps increases the chance they are suggested or copied into the wrong repository context, causing real data loss.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The force-push example uses `git push --force-with-lease` with only a mild 'careful!' note and does not clearly state that it rewrites remote history and can disrupt collaborators. In a collaboration-focused Git skill, insufficient warning around history-rewriting operations makes accidental misuse more likely, especially when copied verbatim by users or agents.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The `git clean` examples include `-f`, `-fd`, and `-fdx` without a strong warning that these commands permanently delete untracked files, directories, and even ignored files. Because `git clean` bypasses normal version-history recovery for untracked content, users can easily lose local work or environment files if they run these commands uncritically.

Tool Parameter Abuse

High
Category
Tool Misuse
Content
git reset --soft HEAD~1

# Undo last commit (discard changes)
git reset --hard HEAD~1

# Revert commit (create new commit)
git revert commit-hash
Confidence
96% confidence
Finding
git reset --hard

Tool Parameter Abuse

High
Category
Tool Misuse
Content
git revert commit-hash

# Reset to specific commit
git reset --hard commit-hash
```

## Stashing
Confidence
95% confidence
Finding
git reset --hard

Tool Parameter Abuse

High
Category
Tool Misuse
Content
git clean -fd

# Include ignored files
git clean -fdx
```

## Common Workflows
Confidence
97% confidence
Finding
git clean -fdx

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal