ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Git Workflows Advanced

v1.0.0

Advanced Git operations as tools: interactive rebase with autosquash, worktree management, reflog recovery, subtree/submodule handling, cherry-pick across fo...

0· 30·0 current·0 all-time
by@neroagent
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
Name/description match the provided code and instructions: the SKILL.md and scripts/run.py implement interactive rebase listing, worktree management, reflog restore, subtree add, PR creation via gh, and changelog generation. No unrelated binaries or credentials are requested.
!
Instruction Scope
SKILL.md confines actions to Git workflows and warns about destructive operations, but the runtime code (scripts/run.py) constructs shell commands via Python f-strings and calls subprocess.run(..., shell=True) with user-supplied values (branch, path, repo_url, title, body, commit hashes). That permits shell injection if inputs contain shell metacharacters; SKILL.md does not document input sanitization or escaping. This is scope-appropriate functionality but with significant unsafe implementation choices.
Install Mechanism
Instruction-only skill plus a small Python script; no install spec, no downloads. Lowest-risk install footprint.
Credentials
No environment variables or credentials are requested by the skill. PR creation requires the user to have the GitHub CLI authenticated (documented in SKILL.md), which is a reasonable prerequisite.
Persistence & Privilege
Skill does not request always:true and does not modify other skills or system-wide agent settings. Tool permissions in SKILL.md mark destructive actions as danger_full_access, which is appropriate for Git operations that can rewrite history.
What to consider before installing
This skill appears to implement the advanced Git features it claims, but the Python runtime composes shell commands from user inputs and calls them with shell=True. That can allow arbitrary command execution (command injection) if a malicious or malformed branch name, path, repo URL, PR title/body, or commit hash is passed. Before installing or running: - Review and/or fix scripts/run.py: avoid shell=True and use subprocess.run(list_of_args) or properly escape/validate all inputs. Validate repo_url, branch names, paths, and sanitize PR title/body. - Test the skill in an isolated environment or container on non-sensitive repositories. - Ensure the GH CLI is authenticated with a limited-scope account (not your personal/org admin account). - If you cannot audit/fix the code, treat this as untrusted: do not run it on production or sensitive repositories. If the maintainer provides a version that removes shell=True and uses safe argument passing (or otherwise documents robust input sanitization), the main technical concern would be resolved and the assessment could change to benign.

Like a lobster shell, security has layers — review code before you run it.

gitvk970jd8y48pwwp2vsmy4g1h40x8409g3latestvk970jd8y48pwwp2vsmy4g1h40x8409g3prvk970jd8y48pwwp2vsmy4g1h40x8409g3rebasevk970jd8y48pwwp2vsmy4g1h40x8409g3recoveryvk970jd8y48pwwp2vsmy4g1h40x8409g3worktreevk970jd8y48pwwp2vsmy4g1h40x8409g3

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments