Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Incident Hotfix
v0.1.0Coder-focused incident response and hotfix execution for production issues. Use when you need reproducible triage, patch/rollback decisions, CI-safe hotfix b...
⭐ 0· 307·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The name/description (incident hotfix, evidence capture, branch creation) matches the provided scripts and docs. The skill reasonably performs git operations and creates incident files. No unexpected external services or credentials are declared.
Instruction Scope
SKILL.md instructs running the two provided scripts which perform repo operations and capture environment variables. The scripts run git fetch/pull/checkouts (network and repo-modifying operations) and write to docs/incidents/<ID> — these are within incident workflow but have side effects that should be explicitly acknowledged in the README (network fetch/pull, branch creation). The scripts also capture a subset of environment variables that is broader than the declared metadata (see environment_proportionality).
Install Mechanism
No install spec; this is instruction-only with two small shell scripts. Nothing is downloaded or installed automatically. This is low-risk from an install point of view.
Credentials
Although the skill declares no required environment variables, scripts/capture_evidence.sh explicitly captures env vars matching '^(NODE_ENV|ENV|APP_ENV|CI|GITHUB_)'. That can include sensitive values (e.g., GITHUB_TOKEN or other CI secrets) depending on environment. The skill does not document or require these credentials but will read and write them into the incident evidence bundle if present — this is disproportionate and should be restricted or documented.
Persistence & Privilege
The skill does not request permanent platform privileges and always:false. It creates files under docs/incidents/<ID> and may create git branches and perform git fetch/pull operations — reasonable for a hotfix workflow but these actions modify repository state and perform network operations; the script should prompt or document these side effects. Also, docs/incidents/<ID> uses the raw ID value without sanitizing path separators, which could enable directory traversal or accidental writes outside expected paths if untrusted IDs are supplied.
What to consider before installing
This skill appears to do what it says (create hotfix branches and capture evidence) but requires review before running in a real repo or CI environment. Specific things to check: (1) Inspect and, if needed, sanitize the --id value before running (scripts use the raw ID in file paths; avoid IDs with slashes or ..). (2) Ensure you do not run capture_evidence.sh in environments that expose secrets — it captures env vars matching NODE_ENV, ENV, APP_ENV, CI and GITHUB_ (which may include GITHUB_TOKEN). Consider removing GITHUB_* from the captured set or explicitly filtering tokens. (3) Be aware scripts run git fetch/pull and create branches; run in a sandboxed clone or verify remotes and permissions first. (4) If you plan to automate agent invocation, require user confirmation before these scripts execute. If these concerns are addressed (sanitize IDs, limit captured env vars, and document git/network side effects), the skill is reasonable for incident workflows.Like a lobster shell, security has layers — review code before you run it.
codingvk97b5f5g6sqa1vmsevqbw56mkn827tsdhotfixvk97b5f5g6sqa1vmsevqbw56mkn827tsdincidentvk97b5f5g6sqa1vmsevqbw56mkn827tsdlatestvk97b5f5g6sqa1vmsevqbw56mkn827tsd
License
MIT-0
Free to use, modify, and redistribute. No attribution required.