ClawHub

commit

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This skill does what it claims, but it can stage, commit, and push all repository changes without a review or confirmation step.

Install or use this only if you are comfortable letting the agent stage all current repository changes, create a commit, and push the current branch. Check for secrets, generated files, incorrect branches, and unwanted untracked files before invoking it.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#
ASI02: Tool Misuse and Exploitation
Medium
What this means

It could commit and push files the user did not intend to publish, including untracked files or accidental secrets.

Why it was flagged

The skill uses Bash to perform broad Git mutation actions. Staging everything and pushing are high-impact operations, and the instructions do not require user review before committing or publishing changes.

Skill content
allowed-tools: [Bash] ... stage everything, create one commit, and push the current branch
Recommendation

Review `git status` and `git diff --staged` yourself before invoking, and consider modifying the skill to require confirmation before commit and push.

#
ASI08: Cascading Failures
Medium
What this means

A bad local state could be shared with collaborators or CI/CD systems before the user notices.

Why it was flagged

Pushing to origin can propagate a local mistake to a shared or public remote repository, and `--set-upstream` can publish a branch that was not previously tracking a remote.

Skill content
Push the current branch to origin (use `--set-upstream origin <branch>` if needed).
Recommendation

Use only in repositories where pushing the entire current branch is safe, and prefer a workflow that confirms the target remote and branch before pushing.

#
ASI03: Identity and Privilege Abuse
Low
What this means

The skill may use the user's repository permissions to publish commits to the configured origin.

Why it was flagged

The push will rely on whatever Git credentials or SSH identity are already configured for the user. This is expected for a commit-and-push skill, but it is still account-level authority over the remote repository.

Skill content
push the current branch to origin
Recommendation

Confirm the repository remote and active Git identity are correct before using the skill.