Open Source Release
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill largely matches its open-source release purpose, but it includes commands that can force-push/delete Git branches and make a private GitHub repo public while bypassing the normal confirmation prompt.
Install only if you want an agent-assisted open-source release checklist, and do not allow the final force-push, branch deletion, or public-visibility command to run unattended. Confirm the exact repository, active GitHub account, backup status, and sensitive-data scan results first.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
66/66 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If followed on the wrong repo or before review is complete, private code could become public or remote Git history could be overwritten/deleted.
These commands can rewrite remote history, delete a branch, and make a repository public; the visibility command also uses the flag that accepts GitHub's visibility-change consequences.
git push origin main --force
git push origin --delete {old-branch}
...
gh repo edit {owner}/{repo} --visibility public --accept-visibility-change-consequencesRequire explicit user confirmation immediately before force-pushing, deleting branches, or changing visibility; verify the GitHub account, owner/repo, branch, sanitized contents, and backup before running these commands.
The command can affect any repository the active GitHub account is authorized to edit.
This operates through the user's authenticated GitHub CLI session and delegated repository permissions.
gh repo edit {owner}/{repo} --visibility public --accept-visibility-change-consequencesBefore use, run `gh auth status` and confirm the active account and target repository are exactly the ones intended.
Private release details could persist into future agent context if copied into the memory file.
The optional housekeeping step writes release notes to a persistent project memory file.
Update memory/{project}.md with release notesReview and sanitize any release notes before writing them to persistent memory.