Mercurial to Git Converter

WarnAudited by ClawScan on May 10, 2026.

Overview

The converter matches its stated purpose, but it can delete an existing target directory without confirmation and may auto-install and run an unpinned external helper.

Review the scripts before use, install hg-fast-export from a trusted pinned source if possible, choose a fresh target directory, and avoid the large-repo script on any path that may contain data you need.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

High

#ASI02: Tool Misuse and Exploitation

What this means

A mistaken or reused target path could cause local data loss before the conversion starts.

Why it was flagged

The large-repo converter deletes any existing target directory without prompting, and the target path is user-provided or derived from the source path.

Skill content

if [ -d "$GIT_REPO" ]; then
    echo "Removing existing $GIT_REPO..."
    rm -rf "$GIT_REPO"
fi

Recommendation

Use a new empty target directory, run the large-repo script only after reviewing the path, and add an explicit confirmation or safe backup step before deletion.

Medium

#ASI04: Agentic Supply Chain Vulnerabilities

What this means

The conversion may execute third-party code from the current state of a GitHub repository rather than a pinned or verified version.

Why it was flagged

If hg-fast-export is missing, the script clones an unpinned external repository and later runs its helper script as part of conversion.

Skill content

git clone https://github.com/frej/fast-export.git "$FAST_EXPORT_DIR"
...
"$FAST_EXPORT_CMD" -r "$HG_REPO" --force

Recommendation

Install hg-fast-export yourself from a trusted, pinned version or verify the cloned repository before allowing the converter to run it.

Low

#ASI03: Identity and Privilege Abuse

What this means

Running the script may prompt for administrator privileges and modify system packages.

Why it was flagged

The script can invoke the system package manager with sudo to install a dependency, even though the registry metadata declares no required binaries or privileged setup.

Skill content

sudo apt-get update && sudo apt-get install -y hg-fast-export 2>/dev/null || true

Recommendation

Prefer installing prerequisites manually, and do not grant sudo access unless you understand and approve the package installation.