ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

OpenClaw Git Workflow

v1.0.0

Git workflow assistant. Generates commit messages, PR descriptions, branch management suggestions, and automates common Git operations.

0· 27·0 current·0 all-time
by@michealxie001
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The stated purpose (commit/PR/branch helpers) matches the included scripts' observable behavior (git diff/log/branch commands). However SKILL.md references additional modules (pr_generator.py, branch_manager.py) and features (automatic branch deletion, smart interactive flows) that are not present in the distributed files — this mismatch is unexpected and unexplained.
!
Instruction Scope
Runtime instructions tell users to run scripts that operate on the local git repository (staging, commit generation, branch checks). The included code runs git subcommands (diff, log, branch, rev-list, etc.) which is expected, but SKILL.md examples describe destructive actions (deleting stale branches) and interactive 'smart-commit' flows that the provided main.py does not implement. The documentation's guidance to add git aliases and CI integration uses specific file paths; if those paths are incorrect or point elsewhere, they could cause confusion. The discrepancy between described operations and actual code is a scope/instruction coherence problem.
Install Mechanism
No install spec and no external downloads; this is instruction-only with local Python scripts. That minimizes supply-chain risk.
Credentials
The skill requests no environment variables or credentials. The code executes only local git commands via subprocess without network calls or external credentials, which is proportionate to a git helper.
Persistence & Privilege
Skill is not always-enabled and does not request persistent system-level privileges. It does not modify other skills' configs. Adding git aliases or CI steps is suggested in docs but would be a user action, not automatic.
What to consider before installing
This package mostly contains reasonable local git helper scripts, but the documentation and examples claim additional files and behaviors (PR generator, branch manager, branch deletion, smart interactive commits) that are missing from the code you were given. Before installing or wiring this into CI/aliases: 1) Ask the publisher for the missing files or the canonical source (homepage/source is unknown). 2) Manually inspect all scripts you will execute; run them in a disposable repo or sandbox first. 3) Do not add git aliases or CI steps that call these scripts until you confirm the scripts implement only the behavior you expect. 4) Be cautious with any future versions that add code to delete branches or run git push — those actions should be explicitly visible and reviewed. If you want, provide the upstream/source or a repo URL and I can re-evaluate with that context.

Like a lobster shell, security has layers — review code before you run it.

latestvk97df9d4a5a9mg8dsv2k1dztt1840tbx

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments