Back to skill
Skillv1.0.0
ClawScan security
commit · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 25, 2026, 12:09 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's instructions and requirements are coherent with its stated purpose (create a single git commit from current changes and push the branch); nothing requested is disproportionate or unrelated.
- Guidance
- This skill will stage all changes and push the current branch to origin using whatever git credentials are configured in the environment — it can therefore publish accidental or sensitive changes. Only allow it to run in repositories you trust, and consider reviewing git status/diff output yourself before invoking. Ensure your environment has the correct remote and credentials, and that you are comfortable with an automated single-commit workflow (no interactive confirmation). If you want more conservative behavior, modify the workflow to prompt before staging/pushing or to exclude certain paths (e.g., secrets).
Review Dimensions
- Purpose & Capability
- okName and description (create a commit and push) align with the instructions: the SKILL.md explicitly reads git status/diff/log, stages changes, commits once, and pushes to origin. No unrelated binaries, env vars, or installs are requested.
- Instruction Scope
- noteInstructions stay within git-related operations (status, diff, branch, log, add, commit, push). However, the required sequence stages all changes and pushes to origin, which will modify the remote repository and could publish sensitive changes if present — this is expected for a commit/push skill but is a notable operational risk to be aware of.
- Install Mechanism
- okInstruction-only skill with no install spec and no code files, so nothing is written to disk or downloaded during install.
- Credentials
- okNo environment variables or credentials are requested by the skill. It will rely on whatever git credentials/configuration already exist in the agent's environment (SSH keys, credential helpers), which is appropriate for a git commit/push operation.
- Persistence & Privilege
- okalways is false and the skill is user-invocable. It does not request persistent / elevated platform privileges beyond normal agent execution and running Bash commands.