Skillv1.1.0

ClawScan security

Peter Commit Ops · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 3, 2026, 6:56 AM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill's instructions match its stated purpose (committing, pushing branches, creating PRs) but the metadata omits required tools and credential expectations, which is an incoherence users should notice before installing.
Guidance: This skill appears to do what it says (turn staged changes into commits, push branches, and create PRs), but the metadata omits important runtime expectations. Before installing or enabling it: 1) Confirm the agent environment has git, and (if you want full automation) the GitHub CLI (gh) and any necessary npm tooling. 2) Be aware the skill will use whatever git/GitHub credentials are available — ensure those credentials have appropriately limited scope (e.g., a deploy key or a token without admin rights) or require manual approval before push/PR. 3) Require an explicit confirmation step (or dry-run mode) before any automatic git add/commit/push to avoid unintended repository changes. 4) Prefer the skill to document required binaries and credential requirements in metadata (declare git, gh, npm and note that GH auth is needed). If you cannot trust the environment’s credentials or want stricter control, do not give the agent permission to run this skill autonomously and instead invoke it manually when you can supervise the actions.

Review Dimensions

Purpose & Capability: noteThe SKILL.md focuses on checking the working tree, creating commits, pushing branches, and creating/updating PRs — this matches the skill name and description. However, the package metadata declares no required binaries or credentials even though the instructions call for git, npm (optional workflow checks), and the GitHub CLI (gh). The lack of declared runtime dependencies is an inconsistency (likely sloppy/omission rather than malicious) but worth flagging.
Instruction Scope: okRuntime instructions stay within the expected scope: they run git status/diff/add/commit/push, may run a repository-local workflow check script or `npm run workflow:check`, and use `gh pr create` to create/update PRs. The steps include sensible safeguards (avoid git add . by default, block commits if review failed, disallow direct push to main/master). The instructions do not request unrelated system files or exfiltrate data to unknown endpoints; external network activity is limited to standard Git/GitHub operations.
Install Mechanism: okThis is an instruction-only skill with no install spec or code files, so there is no installer or downloaded code to evaluate. That lowers install-time risk. The risk is therefore operational (it will execute local git/gh commands) rather than an install-time risk.
Credentials: concernThe skill declares no required environment variables or primary credential, but it implicitly depends on local git credentials and GitHub authentication for `git push` and `gh pr create`, and possibly on npm for repo checks. The omission means the skill will rely on whatever credentials are present in the agent environment (SSH keys, saved git creds, or GH CLI auth). That lack of explicit declaration is a proportionality/information problem: users may not realize the skill will exercise existing credentials with push/PR privileges.
Persistence & Privilege: okThe skill does not request persistent presence (always is false) and does not modify other skills or system-wide settings. It requires the usual runtime permission to run git/gh commands in the repository context; autonomous invocation is allowed by default but is not itself flagged here.