ClawHub

Git Workflows Advanced

Security checks across malware telemetry and agentic risk

Overview

This Git automation skill is mostly purpose-aligned, but it gives broad repository and GitHub authority through unsafe shell command construction and weak safeguards.

Review carefully before installing. Only use this skill in repositories where you are comfortable with branch rewrites, worktree creation, subtree imports, and GitHub PR creation, and avoid passing untrusted branch names, paths, URLs, tags, titles, or PR bodies until the shell command handling is fixed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
def run(cmd, cwd=None):
    """Run a command and return (returncode, stdout, stderr)"""
    result = subprocess.run(cmd, shell=True, capture_output=True, text=True, cwd=cwd)
    return result.returncode, result.stdout, result.stderr

def git_rebase_interactive(base, autosquash=False):
Confidence
99% confidence
Finding
result = subprocess.run(cmd, shell=True, capture_output=True, text=True, cwd=cwd)

Intent-Code Divergence

High
Confidence
94% confidence
Finding
The documentation makes contradictory safety claims: one section says interactive rebase 'does not execute,' while the tool description says it 'starts an interactive rebase.' For a tool with danger_full_access, this ambiguity can mislead users or downstream agents into invoking a history-rewriting operation under the false assumption that it is only advisory, risking destructive repository state changes.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The Safety section claims destructive operations require an additional safety flag, but no such flag exists in the documented schemas. This creates a false sense of protection and can cause agents or users to perform reflog restore or subtree operations without the promised safeguard, increasing the chance of accidental destructive changes.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill documents destructive Git operations like reflog-based restore and subtree modification without a concrete warning, confirmation flow, or guardrails. In an agent setting, these actions can rewrite refs, alter repository contents, or create hard-to-reverse changes if invoked on the wrong branch or commit.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
This function can create branches, create directories, and add Git worktrees without any confirmation barrier, and it builds the commands from untrusted input. In an agent/tool context, that combination makes unintended repository modification and command injection more dangerous because the action is both state-changing and easily triggered remotely.

Missing User Warnings

High
Confidence
96% confidence
Finding
The restore path force-updates a branch via git branch -f using attacker-controlled target_branch and commit_hash, with no confirmation or safety checks. This can silently rewrite refs and, because of shell interpolation, may also permit arbitrary command execution if crafted input is passed to the tool.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This operation performs network access and repository modification using repo_url, prefix, and branch directly in shell-built commands. In a tool-execution environment, that can both exfiltrate information through network interactions and allow command injection or unexpected repo changes without clear user consent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
PR creation transmits title/body/head/base to the GitHub CLI and remote service without any disclosure or confirmation, and those fields are interpolated into a shell command. That makes the function risky both for unintended data egress and for command injection via crafted PR text or ref names.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal