Git Repo to Book
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: git-repo-to-book Version: 1.0.0 The skill is classified as suspicious due to multiple shell injection and path traversal vulnerabilities. Specifically, the `SKILL.md` instructs the agent to execute shell commands like `find <repo>`, `git clone <repo_url>`, and `python3 scripts/...` where user-controlled inputs (e.g., `Source repo`, `--title`, `--author`) are directly interpolated without explicit sanitization, creating potential for command injection. Similarly, Python scripts like `scripts/convert_to_html.py` and `scripts/validate_links.py` use `subprocess.run` and `Path(sys.argv[1])` respectively, which could be exploited if arguments derived from user input are not properly quoted or escaped by the agent's `exec` tool. While there is no evidence of intentional malicious behavior like data exfiltration to unauthorized endpoints or backdoor installation, these vulnerabilities pose significant security risks.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could publish or update generated book content in a remote repository the user did not intend to modify.
A remote git push can use the user's existing git/SSH credentials and mutate a third-party account or repository, but the artifacts do not clearly require a final confirmation, identify the target remote, or bound which credentials/account will be used.
## Phase 7: Publish **Goal:** Push to GitHub and report. ### Tasks - [ ] Final git commit - [ ] Push to remote - [ ] Report to user: word count, chapter count, URL **Done when:** git push succeeds.
Require explicit user approval immediately before any git push, show the exact remote URL/branch, and default to local commits only unless the user provides an output repository.
The project may consume significant model budget and continue through many phases after the initial approval.
Parallel sub-agent orchestration is central to the skill and disclosed, but users should understand that this can run a long, costly, multi-step workflow.
The skill orchestrates 7 phases, each running isolated sub-agents in parallel ... Writing agents run 4-5 in parallel, each handling 3 chapters.
Confirm the budget, chapter count, and stop conditions before starting, and monitor the WORKLOG/cost checkpoints during execution.
Incorrect or unintended instructions written into the worklog could influence later agents or persist across phases.
The shared WORKLOG is an intentional coordination mechanism, but it is persistent context that later agents rely on.
Read WORKLOG.md before starting any task - Update WORKLOG.md after each milestone (append-only)
Review WORKLOG.md during long runs and avoid placing secrets, private data, or untrusted instructions in project coordination files.
Private source code or draft manuscript content may be sent to several model providers during research, writing, and review.
The skill intentionally routes work through multiple agents and model providers, which is disclosed and purpose-aligned but relevant if the source repo or manuscript is private.
Research Agent ... Model: openrouter/google/gemini-2.5-pro-preview Writing Agent ... Model: anthropic/claude-sonnet-4-6 Review Agent ... Model: openrouter/deepseek/deepseek-v3.2
Use only non-sensitive repositories unless your organization approves these providers, and redact secrets before giving a repo to the workflow.
Users may not realize before installation that the skill expects local command execution, git, Python, and sub-agent spawning.
The skill's own manifest declares tools and runtime dependencies, while the registry summary lists no required binaries and no derived capability tags. This looks like metadata under-declaration rather than hidden code.
tools_required:
- exec
- sessions_spawn
- read
- write
dependencies:
python: ">=3.8"
system:
- git
optional:
- pandocSurface these requirements in registry metadata and document that local command execution is used for manuscript assembly and git operations.