Github Contribution
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This is a coherent GitHub contribution helper, but it can run Git commands that reset local branches and push to your fork, so users should review the target repository and branch before use.
This skill appears suitable for its stated GitHub contribution workflow. Before using it, make sure the target directory is the correct fork, commit or back up any local work, check the remotes, and understand that the script can reset local main/master and push to your GitHub fork.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the script in a repository with local work on main/master could remove uncommitted changes, and it can push synchronized changes to your fork.
The script performs state-changing Git operations, including a hard reset of the local main/master branch and a push to the user's fork. This matches the fork-sync purpose, but it can discard local branch changes or alter the fork's main/master state.
git checkout main 2>/dev/null || git checkout master git fetch upstream git reset --hard upstream/main 2>/dev/null || git reset --hard upstream/master ... git push origin main 2>/dev/null || git push origin master
Run it only in the intended fork, check `git status` first, and back up or commit any local work before allowing the sync step.
The script can use your GitHub authorization to modify your fork if your local Git environment is already authenticated.
The script pushes to a GitHub fork and may rely on the user's existing Git credential helper or interactive GitHub authentication. This is expected for a contribution workflow, but the registry metadata does not declare a primary credential.
FORK_URL="https://github.com/${USERNAME}/${REPO}.git"
...
git push origin main 2>/dev/null || git push origin masterConfirm the Git remote URLs before running and use a GitHub token or account with only the permissions needed for the fork.
The package metadata is slightly inconsistent, which may make it harder to confirm exactly which version is being reviewed or installed.
The supplied registry metadata and skill.json identify version 1.4.0, while _meta.json says 1.3.0. The skill also has no install spec despite including a shell helper. This is a provenance/packaging inconsistency, not evidence of malicious behavior.
"version": "1.3.0"
Prefer installing from a trusted source and verify that the script content matches the version you intend to use.