Skillv1.0.0

ClawScan security

Git Commit PR Workflow · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 1, 2026, 5:30 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's stated purpose (commit, push, and create/update PRs) is plausible, but the instructions omit key operational details (which git tooling and how authentication/PR creation is performed), so the declared requirements are incomplete and there is scope for unintended actions.
Guidance: This skill appears to be what it says (end-to-end git -> PR), but it omits operational details you should confirm before using it: - Verify the agent environment actually has git and any CLI tools it will use (git, gh, hub) and that those are the intended tools. The skill itself does not declare these as requirements. - Confirm how authentication will be performed: will it rely on SSH keys present in the environment, an existing remote credential, or an API token? If API tokens or SSH keys are available to the agent, ensure they have only the minimum needed permissions and do not expose sensitive repos. - Ask the skill author to document which remote host (GitHub/GitLab/other) the skill targets and whether it will call a third-party API or use the local git client. Lack of this detail can lead the agent to push or open PRs in unexpected locations. - Because instructions are high-level and allow broad discretion, review the exact git commands the agent plans to run before allowing execution — especially any operation that could rewrite history or touch protected branches. - Test the skill first in a non-sensitive repository or fork, and restrict its use to user-invoked runs rather than automatic/always-on invocation. If you need the skill, request the maintainer add explicit requirements (git binary, preferred CLI/tooling, and documented auth mechanism) so you can validate them before granting the agent access to real repositories.

Review Dimensions

Purpose & Capability: concernThe skill claims to perform end-to-end git delivery including PR creation, but the manifest declares no required binaries or credentials. Performing these actions typically requires a git client and authentication (SSH keys, GitHub/GitLab token, or CLI tools). The absence of declared dependencies or a stated auth mechanism is an incoherence.
Instruction Scope: noteSKILL.md gives a high-level workflow (inspect branch/diff, create branch, commit, push, create/update PR) and guardrails (no destructive commands, avoid secrets). It does not specify which commands or tools to use (git CLI, 'gh'/'hub', or API), nor how to choose remotes or PR host. The guidance is non-prescriptive, which leaves the agent broad discretion but not explicitly dangerous on its face.
Install Mechanism: okThis is an instruction-only skill with no install spec and no code files. That limits the attack surface — nothing will be written or executed from a downloaded package by default.
Credentials: concernNo environment variables, tokens, or credential requirements are declared despite the skill needing push and PR creation capabilities. Real usage requires authentication (SSH keys in agent environment or API tokens). The skill relies implicitly on existing environment credentials but does not document this, which is disproportionate to the manifest and may cause surprising behavior or failed runs.
Persistence & Privilege: okThe skill does not request always: true and is user-invocable only. It also does not indicate modifying other skills or system-wide settings. Autonomous invocation is allowed by default (disable-model-invocation: false), which is normal; there are no additional persistence privileges requested.