ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Git Deploy

Simple deployment skill for local git operations. Use when you need to add, commit, and push changes to the Git repository. Designed for quick local deployme...

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 22 · 0 current installs · 0 all-time installs
byVitali Sakalouski@sirenday
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The name/description (local git deployment) matches the included script which stages, commits, and pushes. However the SKILL.md claims use of a 'pre-configured repository URL and token' even though the script uses the local repo remotes and does not reference that URL/token — this mismatch is unexpected.
!
Instruction Scope
The script itself stays scoped to the repo (.git), stages, commits, and pushes. The SKILL.md, however, publishes a repository URL and a plaintext token (sensitive data) which are unrelated to the script's runtime behavior; including secrets in instructions is scope creep and a data exposure risk.
Install Mechanism
No install spec (instruction-only with a small shell script). Nothing is downloaded or written to disk during install — lowest-risk install mechanism.
!
Credentials
No environment variables or credentials are declared as required, yet a long token is embedded in SKILL.md. Requiring or publishing a token for a remote git host is disproportionate given the script uses the local git configuration and makes no use of that token. Publishing secrets in the skill is inappropriate.
Persistence & Privilege
Skill is not always-enabled and does not request elevated persistence or modify other skills or system-wide settings. Agent-autonomous invocation is allowed by default but not by itself a problem here.
What to consider before installing
Do not install or use this skill until the author clarifies why the SKILL.md contains a plaintext repo URL and token. Treat the token as a leaked secret: if it is real, rotate/revoke it immediately. Prefer skills that do not embed credentials in documentation; verify that the script will use only your local git credentials and remotes. If you still want to use it, remove the token from the SKILL.md, confirm the remote is correct, and run the script only in trusted repositories. If you published this skill, ensure sensitive tokens are not included in skill metadata or files.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk977g9mskkdx6r38j8sd3bcvvn830tyb

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Git Deploy

Overview

This skill automates the standard git workflow for local development:

  • Stage all changes
  • Commit with a message
  • Push to the current branch

The script uses pre-configured repository URL and token.

Usage

scripts/deploy.sh "feat: Task #X - Description"

Repository

Notes

  • The script assumes it is run in the project root.
  • If you need to push to a specific branch, modify the script or commit message.

Files

2 total
Select a file
Select a file to preview.

Comments

Loading comments…