ClawHub

Post Merge Rename

Security checks across malware telemetry and agentic risk

Overview

This is a branch-cleanup tool, but it can delete old remote branch names while repeatedly saying it never deletes branches.

Review before installing or running. Use --dry-run first, confirm the repository and origin remote, and run it only if you intentionally want old remote branch names removed after renamed branches are pushed. Teams relying on branch names for CI, PRs, links, audits, or protected workflows should require explicit operator approval or modify the script to make remote deletion opt-in.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (6)

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The skill’s declared purpose is branch renaming for history preservation, but the documented behavior also performs network and state-changing remote operations, including pushing renamed refs and deleting the old remote branch name. That mismatch is dangerous because users or higher-level agents may invoke it assuming a local, non-destructive rename, when it can actually alter shared repository state and remove a remote ref.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The manifest frames the capability as preserving history via renaming, but the documented workflow deletes the old branch name from origin. Even if this is intended as part of a rename, omitting that fact from the skill contract can mislead automation and users into authorizing a more destructive operation than expected.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The text explicitly says, 'We never delete branches. We rename them,' but later states it deletes the old branch name from origin. That contradiction can cause operators to underestimate the risk and run the skill in environments where remote ref deletion is prohibited, audited, or could disrupt collaborators and tooling that still rely on the old branch name.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
This is a true safety issue because the skill's stated behavior is to preserve history by renaming branches, but the implementation also deletes the original remote branch ref with `git push origin --delete`. That mismatch can mislead users into running a destructive operation they did not authorize, potentially breaking branch-based workflows, PR references, automation, or audits that depend on the old remote name.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The inline comments explicitly say 'Never deletes branches. Only renames,' but the code later deletes the old remote branch name. In a security review, deceptive or inaccurate documentation around destructive operations is dangerous because operators may trust the comments and run the script in production, causing unintended loss of the expected remote ref and downstream disruption.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation describes deleting the old branch name from the remote without an explicit warning, confirmation, or emphasis on its destructive effect. In an agentic or scripted context, this increases the chance of accidental execution against shared repositories, potentially breaking references, workflows, or expectations around branch retention.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal