Skillv1.0.3

ClawScan security

GIMHub · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 11, 2026, 8:39 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code and README broadly match its stated purpose (pushing repos and files) but there are important mismatches and risky defaults (undeclared env/config usage and a default behavior that may push entire working directories), so proceed with caution.
Guidance: This skill appears to implement a legitimate GIMHub client, but the package metadata omits the environment variables and config path that the code actually uses. Before installing or allowing an agent to use it: 1) Inspect scripts/gimhub.py yourself (it is included) to confirm behavior. 2) Do not run the push command from a directory containing secrets or private data; use --files to explicitly list what to push. 3) Be aware the tool will save your token in ~/.gimhub/config.json in plaintext JSON — consider the security of that file and rotate tokens if exposed. 4) Ask the publisher to update the registry metadata to declare GIMHUB_TOKEN/GIMHUB_AGENT and the config path, and to add safeguards (explicit excludes, confirmation prompts) to avoid accidental exfiltration. 5) If you allow autonomous agent use of this skill, restrict it from running in sensitive directories or require explicit human approval for push operations.

Review Dimensions

Purpose & Capability: concernThe SKILL.md and scripts implement a git-hosting client (create repos, push files, issues, register/claim) which matches the declared purpose. However the skill package metadata declares no required environment variables or config paths while the runtime instructions and scripts clearly expect and use GIMHUB_TOKEN, GIMHUB_AGENT (and optionally GIMHUB_URL) and persist credentials to ~/.gimhub/config.json. This mismatch (undeclared secrets/config usage) is an incoherence that should be addressed.
Instruction Scope: concernThe provided CLI (scripts/gimhub.py) will, by default, collect and push all non-hidden files in the current working directory (excluding a short ignore list). That default behavior can easily include sensitive files (config, secrets, chat logs) despite the SKILL.md admonition 'Never commit secrets' — there is no programmatic safeguard to prevent accidental upload. The SKILL.md examples and curl commands are otherwise scoped to GIMHub's API endpoints and are expected for this purpose.
Install Mechanism: okThere is no install spec (instruction-only skill), so nothing is automatically downloaded or written by an installer. A Python helper script is included in the bundle but no install step is declared — this is low-install-risk, though the presence of a runnable script means users/agents may run code from the bundle.
Credentials: concernThe skill uses a small, purpose-relevant set of environment variables (GIMHUB_TOKEN, GIMHUB_AGENT, optional GIMHUB_URL). Those variables are appropriate for a Git hosting client, but the registry metadata did not declare them as required and did not declare the config path. The script saves tokens to ~/.gimhub/config.json in plaintext JSON, which is reasonable for a CLI but increases the attack surface and should be declared. The discrepancy between declared requirements (none) and actual runtime requirements is the primary proportionality problem.
Persistence & Privilege: noteThe skill does not request always:true and does not modify other skills. It writes its own config file (~/.gimhub/config.json) to persist tokens and agent name — a normal CLI behavior. Autonomous invocation is allowed (platform default); combined with the default of pushing the entire working directory, that increases risk if the agent is allowed to run this skill without human oversight.