Incident Hotfix
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The hotfix workflow is mostly coherent, but its scripts can write outside the intended incident folder and may save GitHub tokens or other environment values into incident evidence.
Install only if you are comfortable reviewing and possibly editing the scripts first. In particular, restrict incident IDs to safe characters and remove or redact the `GITHUB_` environment capture before using the evidence bundle in a repository or shared incident record.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken or crafted incident ID could cause the helper script to write incident files in unintended parts of the repository.
The incident ID is accepted from arguments and then used directly in filesystem paths. The script sanitizes the branch slug, but not the directory path, so an ID containing `../` or path separators could create or overwrite files outside `docs/incidents/<id>`.
--id) ID="$2"; shift 2 ;; ... mkdir -p "docs/incidents/${ID}/evidence" ... cat > "docs/incidents/${ID}/TIMELINE.md"Validate incident IDs against a strict pattern, reject `..` and path separators, resolve the output path before writing, and refuse to overwrite existing incident files without confirmation.
If a GitHub token or similar secret is present in the environment, it could be saved into the incident evidence bundle and later committed, shared, or uploaded.
The evidence script records all environment variables beginning with `GITHUB_` into a repository-local evidence file. That prefix can include sensitive values such as `GITHUB_TOKEN` or personal access tokens, despite the SKILL.md describing the capture as a safe subset.
( env | grep -E '^(NODE_ENV|ENV|APP_ENV|CI|GITHUB_)' || true ) > "$OUT/env-safe.txt"
Use a narrow allowlist of non-secret variables, redact values matching token/secret/key/password patterns, or capture only variable names unless the user explicitly approves including values.
Running the script can change the current branch, update refs, and create a new branch in the active repository.
The helper script mutates local git state and contacts configured remotes. This is expected for creating a hotfix branch, but it is still a high-impact repository action.
git fetch --all --prune || true git checkout "$BASE" git pull --ff-only || true git checkout -b "$BRANCH"
Run it only in the intended repository, with a clean or backed-up working tree, and confirm the base branch before execution.