ClawHub

Git

Security checks across malware telemetry and agentic risk

Overview

This is a Git reference skill whose risky commands are normal for version control work and are disclosed, with no hidden scripts or exfiltration behavior found.

Safe to install as Git guidance. Before allowing an agent to run commands from it, review any reset, clean, rebase, force-push, tag deletion, or remote push/delete command, and verify the repository, branch, remote, and working-tree status first.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill presents destructive recovery commands like `git reset --hard HEAD@{5}` without any nearby warning that they discard uncommitted changes and can irreversibly overwrite the working tree and index. In a Git skill, such commands can be legitimate, but omitting guardrails makes accidental data loss substantially more likely when users or agents copy commands verbatim.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill lists destructive history-rewriting commands such as `git reset --hard HEAD~1` without any warning that they can permanently discard uncommitted work. In an agent skill meant to guide day-to-day Git usage, omission of safety guidance increases the chance that users or downstream agents invoke these commands inappropriately and lose data.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The Clean section includes `git clean -f`, `-fd`, and `-fdx` without emphasizing that they delete local untracked files and, with `-fdx`, ignored files as well. In an automation-oriented skill, this can directly cause irreversible local file loss if copied or executed blindly.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal