ClawHub

Github Push

Security checks across malware telemetry and agentic risk

Overview

This skill is a GitHub push helper, but it can erase local Git history, auto-use SSH credentials, stage more files than advertised, and force-push with weak safeguards.

Review carefully before installing. Do not run it on an important existing repository or a directory containing secrets unless you have a backup and have verified the dry-run output. Prefer a dedicated low-privilege SSH key, inspect staged files manually, and avoid --force on shared branches.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (18)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill advertises shell-capable behavior without declaring permissions, which undermines informed consent and any policy gating that depends on explicit capability disclosure. In this context, the skill can invoke git, ssh-add, and related commands that affect local repositories and credentials, so hidden shell access materially increases risk.

Tp4

High
Category
MCP Tool Poisoning
Confidence
98% confidence
Finding
This is a substantial description-behavior mismatch: the markdown presents the tool as a secure push helper, but the detected behavior includes destructive repository reinitialization, force pushing, staging all files, modifying git identity, and loading SSH keys from ~/.ssh. Those actions can overwrite history, commit sensitive local files, and use credentials the user did not intend to expose, making the skill more dangerous than its description suggests.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The documentation promises excluded files are not uploaded, but the actual commit path stages everything with 'git add .'. That mismatch can cause secrets, private configuration, and other supposedly excluded files to be committed and pushed to GitHub, creating a serious confidentiality risk in a push-automation skill.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The tool is described as secure automation, yet it deletes existing .git metadata and reinitializes the repository. In context, that can destroy commit history, remove prior remotes/hooks/configuration, and convert an existing repo into a fresh one before pushing, which is a destructive and security-relevant mismatch from user expectations.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
Auto-loading SSH keys from ~/.ssh exceeds the minimally necessary scope for a push helper and touches sensitive local credentials. In an agent skill, this is more dangerous because the user may not expect the tool to inspect and load identities from the host automatically.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README promotes force-push as part of 'intelligent conflict resolution' but does not clearly warn that force-push can overwrite remote history and discard collaborators' commits. In an automation skill intended for CI/CD and batch workflows, normalizing force-push without strong guardrails increases the chance of destructive misuse.

Vague Triggers

Medium
Confidence
79% confidence
Finding
Broad invocation phrases such as 'git push' or 'automated push' increase the chance that the skill is triggered in routine contexts where the user did not specifically request credential handling, remote reconfiguration, or forceful repository changes. Because this skill can perform sensitive shell and git actions, overbroad matching expands the attack surface and raises the likelihood of unintended execution.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The markdown explicitly describes forceful repository-changing behavior, including automatic conflict resolution via pull, rebase, and force, but does not provide an equally explicit warning about data loss, history rewrites, or accidental overwrites. In a push automation skill, that omission is dangerous because users may treat 'auto-resolve' as safe when it can irreversibly alter shared repository state.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation states that the tool will automatically detect standard SSH private key paths, but it does not warn users that this behavior touches highly sensitive credentials or explain how consent and key selection are handled. In a push-automation skill, implicit credential discovery increases the risk of unintended key use, user surprise, and accidental authentication with the wrong identity.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
Automatically adding a Git remote modifies repository configuration, but the documentation does not warn that local repo state will be changed or that pushes may be redirected to a newly configured destination. In an automation context, silent config mutation can cause accidental data disclosure, confusion, or pushes to the wrong repository.

Missing User Warnings

High
Confidence
97% confidence
Finding
The documented conflict-resolution flow escalates automatically to `git push -f` after failures without prominently warning that force-push can overwrite remote history and destroy collaborators' commits. In a GitHub push automation skill, this is especially dangerous because users may trust the automation and trigger irreversible repository damage.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation states that SSH keys are 'auto-loaded' while also claiming no required environment variables, but it provides no warning, consent mechanism, or scope limitations for credential discovery and use. In a skill designed to automate GitHub pushes, implicit credential loading increases the risk of unintended authentication with sensitive local keys, potentially causing unauthorized pushes or exposing users to misuse of their existing SSH identities.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The examples document repository-modifying operations, including a force push option, without clearly warning that these actions can overwrite remote history or publish unintended content. In an automation-focused skill, omission of safety guidance increases the likelihood of accidental destructive use, especially when users copy commands directly from documentation.

Missing User Warnings

High
Confidence
99% confidence
Finding
The code deletes the existing .git directory via shutil.rmtree without confirmation. That is destructive behavior that can erase repository metadata, history references, configuration, and state, and is especially dangerous in an automation context where users may assume non-destructive upload behavior.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The tool accesses ~/.ssh and attempts to load identities into the agent without a clear upfront warning or consent step. Accessing local credentials silently is risky because it expands the skill's authority and may expose or activate credentials the user did not intend to use.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The tool performs remote transmission of local files with git push, but the safety messaging does not clearly foreground that content will be sent to GitHub. In an agent setting, unclear disclosure increases the chance of unintended data exfiltration, especially because filtering is unreliable elsewhere in the code.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger phrase set is broad enough to match common user requests like generic Git push or auto-push actions without meaningful scoping. In an automation skill that can configure SSH and push code remotely, accidental or overly eager invocation can cause unintended repository changes or credential-related actions.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger list contains several ambiguous phrases, including generic terms for pushing code and committing, which can collide with normal conversational requests. Because the skill is designed to automate remote configuration and pushing, loose matching increases the chance of unintended activation and unsafe side effects in source-control workflows.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal