ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Oneshot Ship

v0.2.1

Ship code with oneshot CLI. One command that plans, executes, reviews, and opens a PR. Runs over SSH or locally. Use when the user wants to ship code changes...

0· 302·0 current·0 all-time
byAndrew Wilkinson@adwilkinson
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The described functionality (automated plan → implement → review → PR over SSH or locally) is coherent with requiring Git, SSH, and GitHub access and LLM CLIs. However the SKILL.md relies on multiple external CLIs and LLM services (Claude Code CLI, Codex CLI, GitHub CLI) that are not reflected in the registry metadata, which is an inconsistency worth noting.
!
Instruction Scope
SKILL.md instructs the agent to read entire repositories (and optional CLAUDE.md files), create worktrees, run commands locally or over SSH, and transmit implementation/review tasks to external LLMs (Anthropic and OpenAI). It also directs storing API keys in ~/.oneshot/config.json and may mirror JSONL event logs. These actions involve reading and transmitting potentially sensitive source code and secrets to third-party services and executing commands on remote hosts—behaviors beyond a simple helper and requiring explicit user consent and trust in the skill source.
Install Mechanism
There is no install spec in the registry (skill is instruction-only), yet the README suggests installing via `bun install -g oneshot-ship`. The absence of an authoritative install source / package manifest in the registry means the skill's suggested installation path isn't verified here and should be checked before running.
!
Credentials
Registry metadata declares no required env vars, but SKILL.md explicitly requires ANTHROPIC_API_KEY and OPENAI_API_KEY, GitHub CLI authentication, and optionally a Linear API key in config. Requiring multiple cross-service credentials (LLM keys, GitHub auth, Linear) is reasonable for the described pipeline but the omission from metadata is a red flag. The skill also asks to persist these secrets in a plaintext config file (~/.oneshot/config.json), which increases risk.
Persistence & Privilege
The skill writes config and history files under the user's home (~/.oneshot/config.json, ~/.oneshot/history.json), creates temporary worktrees, and can run background jobs (--bg). It does not request always:true and does not modify other skills. Persisting API keys and history locally is expected for the tool but is sensitive and should be reviewed.
What to consider before installing
Key points to consider before installing or running this skill: - The SKILL.md requests ANTHROPIC_API_KEY, OPENAI_API_KEY, GitHub authentication, and optionally Linear API credentials, but the registry metadata lists none — assume you will need to provide these. Confirm the exact credentials required before proceeding. - The pipeline will read whole repos and send code and prompts to external LLM services (Anthropic/OpenAI). If your repo contains sensitive information, do NOT run this against private repos unless you trust both the skill source and the LLM providers' data handling. - The tool stores keys in ~/.oneshot/config.json (plaintext in home directory per the doc). Prefer ephemeral or least-privilege tokens, and avoid long-lived secrets in that file. - The skill can operate over SSH and execute commands on remote servers. Only provide SSH access to hosts you fully control and audit what commands the oneshot tool will run (use --dry-run first). - There is no install manifest in the registry; the README suggests installing via bun from a GitHub repo. Verify the upstream repository and its release artifacts before installing any global binary. - Practical mitigations: run in --dry-run or --local mode first, inspect the prompts and what is sent to LLMs (prompts/*.txt and CLAUDE.md), use limited-scope GitHub PATs, use ephemeral LLM keys, and review ~/.oneshot/config.json and history after runs. If you cannot verify the source code or provenance, treat this skill as untrusted.

Like a lobster shell, security has layers — review code before you run it.

automationvk972nze15638qbpk5jp25m5ess824gv4claudevk972nze15638qbpk5jp25m5ess824gv4clivk972nze15638qbpk5jp25m5ess824gv4codexvk972nze15638qbpk5jp25m5ess824gv4latestvk9794fjv90jzen355zd5q3nyxd846qm6

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments