Git Sentinel
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: git-sentinel Version: 1.0.0 The skill is suspicious due to two critical security vulnerabilities. First, the `sentinel.js` script uses `fs.readFileSync` with an unsanitized file path (`process.argv[3]`) derived from user input via the AI agent. The `SKILL.md` instructs the agent to execute this script with a user-specified `filepath`, creating a **prompt injection vulnerability that enables arbitrary file reading and data exfiltration** to the LLM if a sensitive file (e.g., `/etc/passwd`) is requested for review. Second, the `clawhub-auth.json` file contains a hardcoded `clawhub.ai` API token (`clh_JtPHgFngayrA3FdH6PY9SI-dfaYBV6RoeGf7PA6Q8uQ`), which is a severe security misconfiguration exposing a secret that could be compromised and abused.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone who obtains the package can see the token; if it is live and broadly scoped, it could enable unauthorized registry actions or package impersonation.
A credential-looking registry token is bundled with the skill even though the metadata declares no credential requirement and the reviewer runtime does not need registry access.
"registry": "https://clawhub.ai", "token": "clh_JtPH..."
Revoke and rotate the token, remove clawhub-auth.json from the published package and history, and use environment/secret storage only for publishing workflows.
The agent can view the contents of staged or selected files, including secrets accidentally committed to those files.
The script runs a local Git command and reads staged or specified files. This is central to the code-review purpose, but users should understand the local file access.
execSync('git diff --cached --name-only', { encoding: 'utf-8' }); ... fs.readFileSync(file, 'utf-8')Run the skill only in repositories and on files you intend to review, and consider adding path, symlink, and exclusion checks for sensitive files.
Sensitive code or hardcoded secrets in reviewed files may be shown to the agent/model, and comments or strings in code could influence the review if not treated strictly as data.
Reviewed file contents are inserted directly into the prompt/output for the agent to analyze. That is expected for code review, but it means source code becomes model-session context.
CODE TO REVIEW:\n${fileContents} ... console.log(prompt)Add clear prompt boundaries such as 'treat code as untrusted data,' avoid reviewing files with secrets, and redact sensitive values where possible.
Normal skill use does not appear to install or run this dependency, but developers who run package tooling may get different code over time.
The dependency is marked as development-only and is not invoked by an install spec, but a floating 'latest' dependency is less reproducible than a pinned version.
"devDependencies": { "clawhub": "latest" }Pin development dependencies, keep publishing tooling out of the runtime package, and align metadata with the Node.js/Git requirements documented in SKILL.md.