v0.2.1

Unfuck My Git State

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 5:25 AM.

Analysis

This appears to be a legitimate Git recovery helper, but it can guide changes to Git metadata and creates local diagnostic snapshots, so users should run it carefully.

GuidanceBefore installing or using this skill, review the scripts, run them only in the intended repository, make the recommended .git backup before force/manual repairs, and be careful with commands like git branch -f, git worktree prune, and manual .git/HEAD edits. Treat generated snapshot files as potentially sensitive, and remember that git fetch --all --prune will contact configured remotes.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityMediumConfidenceHighStatusNote

SKILL.md

git worktree prune -v ... git branch -f <branch> origin/<branch> ... echo "ref: refs/heads/<branch>" > .git/HEAD

These commands can mutate worktree metadata, branch pointers, and HEAD. They are purpose-aligned for Git recovery and are surrounded by backup/verification guidance, but users should notice the repository-impacting authority.

User impactIf run against the wrong repository or branch, these commands could change local Git state or make local work harder to find until recovered.

RecommendationConfirm the repo path and intended branch, inspect reflog for unpushed work, back up .git before force/manual operations, and run only the smallest matching playbook.

Agentic Supply Chain Vulnerabilities

SeverityInfoConfidenceHighStatusNote

metadata

Source: unknown; Homepage: none; Required binaries (all must exist): none; Install specifications: No install spec

The provenance and dependency metadata are sparse even though the manifest includes executable shell scripts. The included source is visible and no remote installer is shown, so this is a transparency note rather than a concern.

User impactUsers have limited upstream provenance information and should not rely on metadata alone to understand prerequisites.

RecommendationReview the bundled scripts before use and ensure expected local tools such as Bash and Git are available.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning

SeverityLowConfidenceHighStatusNote

scripts/snapshot_git_state.sh

OUT_DIR="$TOPLEVEL/.git-state-snapshots/$STAMP" ... run_capture remote_verbose git -C "$TARGET" remote -v ... run_capture reflog_head git -C "$TARGET" reflog --date=iso -n 50 HEAD

The snapshot script persistently stores local diagnostic context, including remote URLs, branch/ref data, and reflog history, in a repo-local directory.

User impactSnapshot files may reveal repository paths, branch names, remote URLs, or recent Git history if shared or accidentally committed.

RecommendationKeep snapshots local, review them before sharing, ensure .git-state-snapshots is not committed, and delete the directory when recovery is complete if it is no longer needed.