ClawHub

Wip Branch Guard

Security checks across malware telemetry and agentic risk

Overview

This is a real branch-guard tool, but its current command allowlist can let some writes through that users would expect it to block.

Review this before installing if you rely on it as a strict protection against main-branch writes. It is not exfiltrating data or installing hidden payloads, but its .worktrees command matching is too broad for a security guard; use it only if you accept that limitation or can patch the allowlist to validate actual write destinations.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The release notes document environment-variable overrides that can disable onboarding checks globally or per-repo, which weakens the guard's security controls and creates an easy bypass path if inherited shell environment or caller-controlled env is present. Although framed as an intentional escape hatch for testing or approved use, a blanket override like `LDM_GUARD_SKIP_ONBOARDING=1` materially reduces protection and is especially risky because the notes do not strongly emphasize the security consequences at the point of use.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documented `LDM_GUARD_ACK_BLOCKED_FILE=<path>` mechanism explicitly allows a previously denied write to proceed, creating a direct bypass of the blocked-file protection. In a security-sensitive guard, documenting such an override without strong warning, authentication, or friction makes it easier for users or compromised tooling to convert a deny into an allow and defeats the purpose of equivalent-action retry protection.

Tool Parameter Abuse

High
Category
Tool Misuse
Content
## Worktree-bootstrap allowlist

Extends `ALLOWED_BASH_PATTERNS` to cover `cp` / `mv` / `rm` / `touch` / redirect / `tee` with `.worktrees/` destinations. Before this, only `mkdir` into `.worktrees/` was allowed, so the standard worktree-bootstrap compound:

```
git worktree add .worktrees/<name> -b <branch> origin/main \
Confidence
97% confidence
Finding
rm` / `touch` / redirect / `tee` with `.worktrees/

Tool Parameter Abuse

High
Category
Tool Misuse
Content
## Changes

- `tools/wip-branch-guard/guard.mjs`: three new regex entries in `ALLOWED_BASH_PATTERNS` (cp/mv/rm/touch, redirect, tee; each against `.worktrees/` path). Symmetric with the existing `mkdir .worktrees` entry and mirrors the temp-dir pattern style.
- `tools/wip-branch-guard/test.sh`: 8 new test cases covering allow on all six verbs into `.worktrees/`, plus two regressions confirming non-`.worktrees` main-tree writes still deny.

## Tests
Confidence
98% confidence
Finding
rm/touch, redirect, tee; each against `.worktrees/

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal