ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Git Flow Helper

Assist with Git branch management, merging, rebasing, cherry-picking, and cleaning merged branches for smoother workflow.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 368 · 1 current installs · 1 all-time installs
by@HonestQiao
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
Name and description match the instructions and the JavaScript implementation: it runs Git operations (create-branch, merge, rebase, cherry-pick, clean-branches). Requiring no credentials or installs is consistent with a local Git helper.
!
Instruction Scope
SKILL.md and skill.yaml include destructive commands (e.g., piping to xargs git branch -d). The implementation constructs shell commands by directly interpolating user-supplied values into exec() calls, enabling shell injection and accidental deletion of branches. The merge implementation also uses a nonstandard 'git merge ${source} into ${target}' string which is incorrect and may cause unexpected behavior.
Install Mechanism
Instruction-only skill with no install spec or external downloads; nothing is written to disk by an installer. Lower risk from install mechanism.
Credentials
No environment variables, credentials, or config paths are requested — proportional to the stated Git helper purpose.
Persistence & Privilege
The skill is not always-enabled and doesn't request elevated persistence, which is good. However, because the implementation allows arbitrary shell execution (exec) and the agent may invoke the skill autonomously, the blast radius is larger if invoked with malicious or unexpected inputs.
What to consider before installing
This skill does what it claims (Git branch and merge helpers), but its implementation is risky: it builds shell commands with unsanitized user input and runs them (child process exec), and includes commands that delete branches. Before installing or enabling it, consider: 1) review and fix the implementation to avoid string-interpolated shell commands — use execFile/spawn with argument arrays or a Git library (libgit2), and validate/whitelist branch/commit names; 2) require explicit user confirmation for destructive actions (branch deletion, forced merges); 3) correct the incorrect merge syntax; 4) test in an isolated repository or non-production environment; 5) restrict autonomous invocation or add safeguards if the agent can run this skill without human approval. If you are not comfortable reviewing/fixing the code, do not enable this skill on agents that have access to important repositories.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
gitvk975kj93wqcahv58medr52wfd181nmn2latestvk975kj93wqcahv58medr52wfd181nmn2version-controlvk975kj93wqcahv58medr52wfd181nmn2

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Git Flow Helper

智能 Git 操作助手,帮助处理分支、合并、冲突等。

功能

  • 分支管理
  • 智能合并
  • Cherry-pick
  • 清理已合并分支
  • Rebase 辅助

触发词

  • "git操作"
  • "git命令"
  • "git flow"

命令示例

# 创建分支
git checkout -b feature/new-feature

# 合并分支
git merge feature/new-feature

# 变基
git rebase main

# Cherry-pick
git cherry-pick abc123

# 清理已合并分支
git branch --merged | grep -v '*' | xargs git branch -d

操作

  • create-branch: 创建新分支
  • merge: 合并分支
  • rebase: 变基操作
  • cherry-pick: 挑选提交
  • clean-branches: 清理已合并分支

Files

2 total
Select a file
Select a file to preview.

Comments

Loading comments…