ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Git Repo Manager

Git repository and SourceGit integration management. clone - ghq get with automatic SourceGit registration [clone.md], fix-worktree - bare repo worktree conf...

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 13 · 0 current installs · 0 all-time installs
byes6kr@drumrobot
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's name/description (git repo + SourceGit integration) aligns with included scripts and docs: cloning, migrating to ghq, fixing worktrees, and editing SourceGit's preference.json are all coherent features. However, the SKILL.md and guides assume presence of system binaries (git, ghq, gh, python3) and access to home config files but the skill's metadata declares no required binaries or env vars — an omission that reduces clarity about what the agent will need to run.
!
Instruction Scope
Runtime instructions explicitly read and edit the user's SourceGit preference.json, move and remove repository directories, update git remotes, and run git index operations. clone.md states certain registration steps 'proceed automatically without user confirmation' (automatic edits to preference.json), while other workflows require AskUserQuestion — this inconsistency is important because editing a GUI client's config and moving/removing repository data are high-impact actions that should always require explicit user confirmation and backups.
Install Mechanism
This is an instruction-only skill with included scripts (no install spec). That minimizes installer risk (no remote downloads), but the supplied scripts will be written into the agent environment when the skill is installed and executed locally.
!
Credentials
The guides reference using GH_TOKEN (embedding a token into HTTPS clone URLs) and commands such as `gh auth token` but the skill does not declare any required environment variables or a primary credential. Suggesting embedding a token into a clone URL is sensitive: it can expose credentials in shell history, process listings, or if not correctly removed. The skill also reads and edits config files under the user's home directory (preference.json), which are sensitive. These capabilities are explainable by the purpose, but their sensitive nature and the lack of declared requirements/explicit confirmation raise proportionality concerns.
Persistence & Privilege
always:false and default model-invocation behavior are appropriate. The skill does not request persistent elevated platform privileges or modify other skills' configs. It does edit user files (preference.json) and perform filesystem moves, which are normal for its purpose but should be gated by user consent.
What to consider before installing
This skill appears to do what it says (manage ghq repos and edit SourceGit configuration) but includes several high-impact actions. Before installing or running it: 1) Confirm required binaries are available (git, ghq, gh, python3) — the skill assumes them but doesn't declare them. 2) Back up SourceGit's preference.json and your repositories (or test in a disposable environment) before allowing automatic edits or migrations. 3) Be cautious with the GH_TOKEN workflow: avoid embedding tokens in URLs or shell history; prefer interactive gh authentication or ephemeral tokens and verify the token was removed from remotes and history. 4) Expect the scripts to move and modify files (mv, rm, ln, git config) — review scripts line-by-line and require explicit confirmation for destructive steps. 5) If you need autonomous invocation, restrict it until you are comfortable with the confirmation behavior (the skill has mixed guidance about when it asks the user). If you want, provide the missing information (declared binaries and an explicit policy about confirmations) or run the scripts manually first to validate behavior.

Like a lobster shell, security has layers — review code before you run it.

Current versionv0.1.0
Download zip
latestvk978bh14r1751bbs6b6p0933p583zzsy

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Git Repo

Git repository management and SourceGit GUI client integration.

Topics

TopicDescriptionGuide
cloneghq get with automatic SourceGit registration (multi-account support)clone.md
fix-worktreebare repo worktree configuration recoveryfix-worktree.md
merge-duplicatemerge duplicate repositories with the same originmerge-duplicate.md
migratemigrate regular Git repositories to ghq directory structuremigrate.md
patrolbatch inspection of ghq repositories (status, stash, unpushed + commit-splitter integration)patrol.md
sourcegitSourceGit preference.json management (add repos, workspaces, folder rename)sourcegit.md

Quick Reference

ghq Clone (automatic SourceGit registration)

When ghq get <url> is executed, the following happens automatically:

  1. Clone the repository
  2. Register in SourceGit (under the appropriate group)
  3. Auto-create the group if it doesn't exist

Proceeds automatically without user confirmation

Detailed guide

SourceGit Management

Directly edit the SourceGit GUI client's configuration file to add repositories, create workspaces, rename folders, etc.

Key features:

  • Add/remove repositories
  • Create workspaces
  • Sync ghq repositories
  • Update paths on folder rename

Detailed guide

ghq Migration

Migrate regular Git repositories to ghq directory structure (~/ghq/host/group/repo/).

Key features:

  • Automatic bare+worktree structure conversion
  • Create symbolic links at original location
  • Nested group support (host/group/subgroup/repo)

Detailed guide

Repo Patrol (batch inspection)

Batch inspect and clean up the status of repositories under ghq.

Key features:

  • Parallel collection of status, stash, unpushed for all repositories
  • Status-based processing (commit-splitter integration, stash pop, push)
  • Optional fetch all at the end

Detailed guide

Common Workflow

  1. Repository migration: Migrate to ghq structure with migrate topic
  2. SourceGit update: Register new paths with sourcegit topic
  3. Batch inspection: Clean up uncommitted/unpushed changes with patrol topic

Scripts

  • ./scripts/repo-to-ghq.sh - Script to move repositories to ghq path

Files

9 total
Select a file
Select a file to preview.

Comments

Loading comments…