ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Github Push

v1.0.0

Secure GitHub push automation with auto SSH and remote config. Use when git push, automated push, or conflict handling needed.

0· 63·0 current·0 all-time
by@onlyloveher
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
Name/description match a GitHub push helper and included code performs push-related actions, but some capabilities are disproportionate or unclear: the code explicitly removes an existing .git directory and re-initializes repositories (destructive), and README claims it can 'auto-create repo if doesn't exist' without any GitHub API credentials or network code shown — that claim is inconsistent with the visible implementation.
!
Instruction Scope
SKILL.md/README direct running scripts that will read ~/.ssh, attempt to load private keys via ssh-add, modify git config, initialize repos, stage/commit files, and perform pull/rebase/force-push flows. Those operations modify local repository state and SSH agent state; deleting .git and automatic force-push behavior are particularly intrusive and are not clearly called out in warnings.
Install Mechanism
No install spec or external downloads are used; the skill is delivered as code files and uses only local system commands (git, ssh-add). This lowers supply-chain risk compared to remote downloads.
Credentials
No environment variables or external credentials are requested, which is consistent with SSH-based pushes. However the code inspects and attempts to load private SSH keys from the user's ~/.ssh and will change git global config if missing — access to private keys and global git config is significant and should be explicitly justified to users.
Persistence & Privilege
Skill is not marked always:true and has no special install persistence. It does perform persistent changes to the user's filesystem (removing/rewriting .git, setting git user/email) and to the SSH agent (ssh-add), which are privileges worth noting though not platform-level privileges.
What to consider before installing
This skill mostly does what a Git push helper promises, but exercise caution before installing or running it on important repositories. Specific red flags: (1) The script forcibly removes and re-initializes .git directories — back up repos first. (2) It auto-loads private SSH keys into the agent (ssh-add) — review this behavior if you keep passphrase-protected keys or do not want keys loaded automatically. (3) It will attempt automated pull/rebase and force-push flows which can overwrite remote history; test with --dry-run and on a disposable repo first. (4) The README claims 'auto-create repo' but no GitHub API token or network endpoint is declared; verify how remote creation is supposed to work. Recommended steps: review the full scripts/github_upload.py source locally, run in a safe/test environment, keep backups of any repo before use, and prefer dry-run mode until you confirm behavior.

Like a lobster shell, security has layers — review code before you run it.

latestvk97aewg51csyx1hvp9z7v57sbd83p4w6

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments