Git Deploy
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
The skill matches a Git deployment workflow, but it exposes a repository token and can push all current repository changes, so it should be reviewed before use.
Do not install or use this skill until the embedded token has been removed and rotated. If you still use the script, only run it in the intended repository after reviewing exactly which files will be committed and which branch/remote will be pushed.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A valid Git token could allow unauthorized access to the referenced repository or account permissions tied to that token.
SKILL.md contains a plaintext repository access token, while the registry declares no primary credential. If the token is valid, anyone with access to the skill artifact could potentially use it outside the intended workflow.
**Token**: c865b793f09a3b79b65...
Remove the token from the skill, revoke and rotate it, and require users to provide credentials through a scoped secret manager or normal Git authentication.
Running the skill could publish unintended code, local files, or secrets that are not excluded by .gitignore.
The script stages every change in the repository and pushes to the current branch. This is purpose-aligned, but it is broad and has no built-in status/diff review, branch check, or confirmation step.
git add . ... git commit -m "$COMMIT_MSG" ... git push
Review `git status` and the diff before running, and consider adding an explicit confirmation step, branch/remote validation, or narrower staging behavior.