commit
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
This skill does what it advertises, but it can automatically commit and push all repository changes to a remote branch without an explicit review or confirmation step.
Review the repository status and diff yourself before invoking this skill. Avoid using it in sensitive, shared, or production repositories unless you add a confirmation step and restrict what files, branches, and remotes it may commit and push.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could commit and push unintended files, incomplete work, secrets, or unrelated changes to the remote repository.
The skill gives the agent Bash access and directs it to run broad Git mutation/publish actions, including staging all changes and pushing them remotely, without an explicit approval step.
allowed-tools: [Bash] ... “stage everything, create one commit ... push the current branch to origin”
Only use this skill in repositories where you are comfortable with automatic commit-and-push behavior; add an explicit diff review and confirmation requirement before staging, committing, or pushing.
The skill may act with whatever Git remote write permissions are already available in the user’s environment.
Pushing to origin will usually use the user’s existing Git account credentials or SSH keys. This is expected for the skill’s purpose, but the metadata does not declare a credential requirement.
“Push the current branch to origin (use `--set-upstream origin <branch>` if needed).”
Confirm the repository remote, branch, and account permissions before using the skill, especially in shared or production repositories.
One mistaken or overly broad commit could be shared beyond the local machine and require cleanup or rollback.
A bad staged change is immediately committed and propagated to the remote branch, where it may affect collaborators or downstream automation.
“Required sequence: 1. Stage changes. 2. Create a single commit. 3. Push the current branch to origin”
Require the agent to show the exact diff, list staged files, and ask for confirmation before pushing.