ClawHub

Github Private Repo SSH Routing

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This looks like a legitimate GitHub SSH routing helper, but its audit output can reveal sensitive SSH and private-repo configuration details.

Before installing or using this skill, be comfortable with it inspecting local Git remotes and SSH configuration. Do not share raw audit output publicly; redact repository names, host aliases, usernames, and key filenames. Review any suggested changes to ~/.ssh/config, Git remotes, or OpenClaw config before applying them.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#ASI03: Identity and Privilege Abuse
Medium
What this means

If the audit output is shared, it may reveal host aliases, repo URLs, usernames, key filenames, and SSH configuration details.

Why it was flagged

The audit script lists SSH files, permissions, and a preview of the user's SSH config. This is aligned with diagnosing SSH key routing, but it exposes account and private-repo access metadata.

Skill content
ls -la ~/.ssh ... stat -c '%a %U:%G %n' ~/.ssh ~/.ssh/* ... sed -n '1,200p' ~/.ssh/config
Recommendation

Run the audit locally and redact SSH config, hostnames, repo names, usernames, and key filenames before sharing output.

#ASI02: Tool Misuse and Exploitation
Low
What this means

A wrong alias or remote URL could break private-repo access or cause future pushes/pulls to target the wrong repository.

Why it was flagged

The skill teaches commands that can change Git remotes and automation config. These are purpose-aligned and paired with verification steps, but incorrect values could redirect future Git operations.

Skill content
git remote set-url origin git@github.com-backup:OWNER/REPO.git ... Update any config/script source that still writes the old remote ... Only then push or pull.
Recommendation

Confirm the intended repo, alias, and key before applying changes, then verify with ssh and git read-only checks before pushing.