ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Github Push

v1.0.0

Secure GitHub push automation with auto SSH and remote config. Use when git push, automated push, or conflict handling needed.

0· 92·0 current·0 all-time
by@onlyloveher

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for onlyloveher/github-push-v1.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Github Push" (onlyloveher/github-push-v1) from ClawHub.
Skill page: https://clawhub.ai/onlyloveher/github-push-v1
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install github-push-v1

ClawHub CLI

Package manager switcher

npx clawhub@latest install github-push-v1
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
Name/description match a GitHub push helper and included code performs push-related actions, but some capabilities are disproportionate or unclear: the code explicitly removes an existing .git directory and re-initializes repositories (destructive), and README claims it can 'auto-create repo if doesn't exist' without any GitHub API credentials or network code shown — that claim is inconsistent with the visible implementation.
!
Instruction Scope
SKILL.md/README direct running scripts that will read ~/.ssh, attempt to load private keys via ssh-add, modify git config, initialize repos, stage/commit files, and perform pull/rebase/force-push flows. Those operations modify local repository state and SSH agent state; deleting .git and automatic force-push behavior are particularly intrusive and are not clearly called out in warnings.
Install Mechanism
No install spec or external downloads are used; the skill is delivered as code files and uses only local system commands (git, ssh-add). This lowers supply-chain risk compared to remote downloads.
Credentials
No environment variables or external credentials are requested, which is consistent with SSH-based pushes. However the code inspects and attempts to load private SSH keys from the user's ~/.ssh and will change git global config if missing — access to private keys and global git config is significant and should be explicitly justified to users.
Persistence & Privilege
Skill is not marked always:true and has no special install persistence. It does perform persistent changes to the user's filesystem (removing/rewriting .git, setting git user/email) and to the SSH agent (ssh-add), which are privileges worth noting though not platform-level privileges.
What to consider before installing
This skill mostly does what a Git push helper promises, but exercise caution before installing or running it on important repositories. Specific red flags: (1) The script forcibly removes and re-initializes .git directories — back up repos first. (2) It auto-loads private SSH keys into the agent (ssh-add) — review this behavior if you keep passphrase-protected keys or do not want keys loaded automatically. (3) It will attempt automated pull/rebase and force-push flows which can overwrite remote history; test with --dry-run and on a disposable repo first. (4) The README claims 'auto-create repo' but no GitHub API token or network endpoint is declared; verify how remote creation is supposed to work. Recommended steps: review the full scripts/github_upload.py source locally, run in a safe/test environment, keep backups of any repo before use, and prefer dry-run mode until you confirm behavior.

Like a lobster shell, security has layers — review code before you run it.

latestvk97aewg51csyx1hvp9z7v57sbd83p4w6
92downloads
0stars
1versions
Updated 1mo ago
v1.0.0
MIT-0
@onlyloveher
latest
Download

GitHub Push - Secure Auto-Push Tool

Automated GitHub push with:

  • Auto SSH Config: Auto-detect and load SSH keys
  • Auto Remote Config: Auto-add git remote origin
  • Auto Conflict Resolution: Auto pull + rebase + force
  • Anti-Ban Mechanism: Rate limiting + commit batching + smart validation

Installation

No external dependencies required. Uses standard Git CLI (always available).

Usage Examples

# Quick push (auto-configures everything)
python3 scripts/github_upload.py --repo owner/repo --path ./files --message "Update"

# Dry run test (no actual push)
python3 scripts/github_upload.py --repo owner/repo --path ./files --dry-run

# Force push (auto-resolves conflicts)
python3 scripts/github_upload.py --repo owner/repo --path ./files --force

# Show version info
python3 scripts/github_upload.py --version

Configuration

Create config.yaml for persistent settings:

defaults:
  safe_mode: true
  min_delay: 3  # seconds between operations
  max_delay: 5  # seconds between operations
  batch_commits: true
  enable_validation: true
  dry_run: false
  
safety:
  max_commits_per_hour: 100
  max_pushes_per_hour: 50
  min_time_between_pushes: 180  # 3 minutes cooldown

Safety Thresholds

MetricDefaultDescription
Delay between ops3-5sRandomized delay
Push cooldown180sMin time between pushes
Max pushes/hour50Anti-spam limit
Max commits/hour100Anti-automation limit

Troubleshooting

Error: "Too frequent pushes"

Solution: Wait at least 3 minutes before next push.

Error: "Repository not found"

Solution: Check repository exists and you have push access. Verify SSH key is added to GitHub.

Error: "Permission denied (publickey)"

Solution:

# Load SSH key
ssh-add ~/.ssh/id_ed25519

# Verify SSH connection
ssh -T git@github.com

Error: "Merge conflict"

Solution: The script handles this automatically with pull + rebase + force. Check repository state if issue persists.

Error: "Validation failed"

Solution:

  • Check path exists and is accessible
  • Verify files don't exceed 100MB (GitHub limit)
  • Check for suspicious patterns (e.g., .env, id_rsa)

When Not to Use

  • Just viewing GitHub content
  • Creating issues or PRs
  • Code review

References

  • references/ - Detailed config and API docs
  • scripts/ - Full code examples

MIT License - OpenClaw Skill Standard

Comments

Loading comments...