Git Deploy
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: git-deploy Version: 1.0.0 The skill bundle contains a hardcoded plaintext authentication token and a specific internal repository URL (http://git.homelab:3000) within the SKILL.md file. While the scripts/deploy.sh script performs standard, non-malicious git operations, the exposure of credentials in the documentation is a significant security vulnerability (credential exposure) that could be exploited if the environment is accessible.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A valid Git token could allow unauthorized access to the referenced repository or account permissions tied to that token.
SKILL.md contains a plaintext repository access token, while the registry declares no primary credential. If the token is valid, anyone with access to the skill artifact could potentially use it outside the intended workflow.
**Token**: c865b793f09a3b79b65...
Remove the token from the skill, revoke and rotate it, and require users to provide credentials through a scoped secret manager or normal Git authentication.
Running the skill could publish unintended code, local files, or secrets that are not excluded by .gitignore.
The script stages every change in the repository and pushes to the current branch. This is purpose-aligned, but it is broad and has no built-in status/diff review, branch check, or confirmation step.
git add . ... git commit -m "$COMMIT_MSG" ... git push
Review `git status` and the diff before running, and consider adding an explicit confirmation step, branch/remote validation, or narrower staging behavior.