ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

GitHub Push CN

v1.0.0

Secure GitHub push automation with auto SSH and remote config. Use when git push, automated push, or conflict handling needed.

0· 107·1 current·1 all-time
by@onlyloveher

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for onlyloveher/github-push-cn.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "GitHub Push CN" (onlyloveher/github-push-cn) from ClawHub.
Skill page: https://clawhub.ai/onlyloveher/github-push-cn
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install github-push-cn

ClawHub CLI

Package manager switcher

npx clawhub@latest install github-push-cn
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (GitHub push automation) aligns with the code and docs: it manipulates git, configures/remotes, and performs pushes. However some claims are questionable or under-specified (e.g., 'auto-create repo if doesn't exist' requires GitHub API/credentials but the skill declares no such credential). Re-initializing by removing an existing .git (documented in code) is surprising relative to a typical 'push' helper.
!
Instruction Scope
Runtime behavior includes reading the user's home (~/.ssh), invoking ssh-add to load private keys, manipulating git config (user.name/email), removing .git (shutil.rmtree) and re-initializing repositories, staging/committing, pulling/rebasing and force-pushing. These are powerful, potentially destructive filesystem and credential operations that go beyond a passive 'push helper' and are not gated by strong user confirmation in the docs.
Install Mechanism
No remote install or third-party downloads—this is contained in the shipped code. That lowers supply-chain risk compared to network installs. The skill executes local subprocesses (git, ssh-add) which are expected for this function.
!
Credentials
The skill requests no declared env vars but reads and acts on sensitive local material: it auto-detects and will auto-load private SSH keys from ~/.ssh into the ssh-agent. Access to SSH keys and removal of .git are high-impact operations and should be explicitly declared and justified. The lack of declared credentials or clear safeguards is disproportionate to what the metadata states.
!
Persistence & Privilege
The skill does not set 'always' and is user-invocable, but it performs persistent/modifying actions on the user's repository state (deleting .git, changing remotes, configuring user.email/name). Those modifications affect local data and history and are not limited to a sandbox—this is higher privilege than a read-only helper.
What to consider before installing
This skill can perform destructive changes and touch private SSH keys. Before installing or running: 1) Review the script lines that remove .git and that call 'ssh-add'—back up any repositories (copy the .git directory) and never run it on a production repo. 2) Prefer running with --dry-run first and inspect the computed file list. 3) Check that you understand and consent to auto-loading private keys into your ssh-agent; consider using a dedicated key with limited access. 4) Be cautious about the 'auto-create repo' claim—the package supplies no GitHub API token handling, so verify how repository creation is actually implemented. 5) If you intend to let an autonomous agent use this skill, restrict agent permissions and test in an isolated environment. If anything is unclear, ask the author for explicit confirmation of destructive steps and for safeguards such as explicit user confirmation before removing .git or doing force-pushes.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ad3hd8kdnx6s0jx7ynr65s983ah8y
107downloads
0stars
1versions
Updated 1mo ago
v1.0.0
MIT-0
@onlyloveher
latest
Download

GitHub Push - Secure Auto-Push Tool

Automated GitHub push with:

  • Auto SSH Config: Auto-detect and load SSH keys
  • Auto Remote Config: Auto-add git remote origin
  • Auto Conflict Resolution: Auto pull + rebase + force
  • Anti-Ban Mechanism: Rate limiting + commit batching + smart validation

Installation

No external dependencies required. Uses standard Git CLI (always available).

Usage Examples

# Quick push (auto-configures everything)
python3 scripts/github_upload.py --repo owner/repo --path ./files --message "Update"

# Dry run test (no actual push)
python3 scripts/github_upload.py --repo owner/repo --path ./files --dry-run

# Force push (auto-resolves conflicts)
python3 scripts/github_upload.py --repo owner/repo --path ./files --force

# Show version info
python3 scripts/github_upload.py --version

Configuration

Create config.yaml for persistent settings:

defaults:
  safe_mode: true
  min_delay: 3  # seconds between operations
  max_delay: 5  # seconds between operations
  batch_commits: true
  enable_validation: true
  dry_run: false
  
safety:
  max_commits_per_hour: 100
  max_pushes_per_hour: 50
  min_time_between_pushes: 180  # 3 minutes cooldown

Safety Thresholds

MetricDefaultDescription
Delay between ops3-5sRandomized delay
Push cooldown180sMin time between pushes
Max pushes/hour50Anti-spam limit
Max commits/hour100Anti-automation limit

Troubleshooting

Error: "Too frequent pushes"

Solution: Wait at least 3 minutes before next push.

Error: "Repository not found"

Solution: Check repository exists and you have push access. Verify SSH key is added to GitHub.

Error: "Permission denied (publickey)"

Solution:

# Load SSH key
ssh-add ~/.ssh/id_ed25519

# Verify SSH connection
ssh -T git@github.com

Error: "Merge conflict"

Solution: The script handles this automatically with pull + rebase + force. Check repository state if issue persists.

Error: "Validation failed"

Solution:

  • Check path exists and is accessible
  • Verify files don't exceed 100MB (GitHub limit)
  • Check for suspicious patterns (e.g., .env, id_rsa)

When Not to Use

  • Just viewing GitHub content
  • Creating issues or PRs
  • Code review

References

  • references/ - Detailed config and API docs
  • scripts/ - Full code examples

MIT License - OpenClaw Skill Standard

Comments

Loading comments...