ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Github Push

v0.1.0

Secure GitHub push automation with auto SSH and remote config. Use when git push, automated push, or conflict handling needed.

0· 347·4 current·4 all-time
byNima Chu@nimachu

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for nimachu/github-push.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Github Push" (nimachu/github-push) from ClawHub.
Skill page: https://clawhub.ai/nimachu/github-push
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install github-push

ClawHub CLI

Package manager switcher

npx clawhub@latest install github-push
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill's stated goal—automating secure GitHub pushes—generally matches the included code (git commands, ssh-add, remote handling). However there are mismatches: the code claims to "auto-create repo" yet contains no GitHub API calls or credential requirements to create repositories remotely. Also the code re-initializes repositories (removes .git) which is not an expected or benign action for a "safe" push tool and can destroy history.
!
Instruction Scope
Runtime instructions and the script direct the agent to inspect and modify user SSH state (~/.ssh, ssh-add), manipulate git metadata (init, remove .git), stage/commit/force-push, and auto-resolve conflicts by rebasing and forcing. These go beyond merely calling 'git push' and include destructive operations (deleting .git) and powerful actions (git push -f) that can alter or erase repository history without an explicit, well-scoped user confirmation.
Install Mechanism
No external install mechanism is declared and the skill is delivered as source files (script present). That lowers supply-chain download risk. However this also means the code will run locally with whatever privileges the agent or user grants, so inspect the scripts before running.
Credentials
The skill requests no environment variables, which is consistent with it relying on SSH-based auth. It nevertheless auto-inspects and attempts to load keys from ~/.ssh and invokes 'ssh-add', which accesses private keys and the user's ssh-agent: reasonable for pushing via SSH but sensitive. The lack of any GitHub token or API credential is inconsistent with the claim to auto-create remote repositories.
!
Persistence & Privilege
always:false (good). However the skill performs filesystem operations with significant side effects (deleting the .git directory, re-initializing repos, force-pushing). Those are persistent, privileged modifications to a user's repository and could cause data loss. The skill does not appear to modify other skills or agent configs, but its file-system actions are high-impact.
What to consider before installing
This skill does perform the task it advertises but has surprising and risky behavior. Before installing or running it: 1) Inspect the full scripts (especially github_upload.py) to confirm you accept the logic that deletes .git and performs forced pushes. 2) Never run on a production or important repository without a backup—create a copy of the repo first. 3) Prefer running with --dry-run and test in an isolated container or VM. 4) If you need automatic repository creation on GitHub, require a documented GitHub API/token flow—otherwise the "auto-create repo" claim is misleading. 5) If you cannot audit the code, avoid giving it access to your real SSH keys or run it with a throwaway key/account. If you want, I can list the exact code locations (functions/lines) that delete .git, call ssh-add, and perform force-push so you can review them directly.

Like a lobster shell, security has layers — review code before you run it.

latestvk9735vbakwp6tc7qhmzy79mye182fakj
347downloads
0stars
1versions
Updated 1h ago
v0.1.0
MIT-0
Nima Chu@nimachu
latest
Download

GitHub Push - Secure Auto-Push Tool

Automated GitHub push with:

  • Auto SSH Config: Auto-detect and load SSH keys
  • Auto Remote Config: Auto-add git remote origin
  • Auto Conflict Resolution: Auto pull + rebase + force
  • Anti-Ban Mechanism: Rate limiting + commit batching + smart validation

Installation

No external dependencies required. Uses standard Git CLI (always available).

Usage Examples

# Quick push (auto-configures everything)
python3 scripts/github_upload.py --repo owner/repo --path ./files --message "Update"

# Dry run test (no actual push)
python3 scripts/github_upload.py --repo owner/repo --path ./files --dry-run

# Force push (auto-resolves conflicts)
python3 scripts/github_upload.py --repo owner/repo --path ./files --force

# Show version info
python3 scripts/github_upload.py --version

Configuration

Create config.yaml for persistent settings:

defaults:
  safe_mode: true
  min_delay: 3  # seconds between operations
  max_delay: 5  # seconds between operations
  batch_commits: true
  enable_validation: true
  dry_run: false
  
safety:
  max_commits_per_hour: 100
  max_pushes_per_hour: 50
  min_time_between_pushes: 180  # 3 minutes cooldown

Safety Thresholds

MetricDefaultDescription
Delay between ops3-5sRandomized delay
Push cooldown180sMin time between pushes
Max pushes/hour50Anti-spam limit
Max commits/hour100Anti-automation limit

Troubleshooting

Error: "Too frequent pushes"

Solution: Wait at least 3 minutes before next push.

Error: "Repository not found"

Solution: Check repository exists and you have push access. Verify SSH key is added to GitHub.

Error: "Permission denied (publickey)"

Solution:

# Load SSH key
ssh-add ~/.ssh/id_ed25519

# Verify SSH connection
ssh -T git@github.com

Error: "Merge conflict"

Solution: The script handles this automatically with pull + rebase + force. Check repository state if issue persists.

Error: "Validation failed"

Solution:

  • Check path exists and is accessible
  • Verify files don't exceed 100MB (GitHub limit)
  • Check for suspicious patterns (e.g., .env, id_rsa)

When Not to Use

  • Just viewing GitHub content
  • Creating issues or PRs
  • Code review

References

  • references/ - Detailed config and API docs
  • scripts/ - Full code examples

MIT License - OpenClaw Skill Standard

Comments

Loading comments...