ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Git Commit PR Workflow

v1.0.0

Use when the user wants the full git workflow: branch creation if needed, commit, push, and PR create or update with a concise summary and test plan.

0· 23·0 current·0 all-time
by@wimi321·duplicate of @wimi321/claude-code-git-commit-pr-workflow
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description align with committing, pushing, and opening/updating PRs. However, creating/updating PRs normally requires a git client plus remote-host authentication (e.g., gh/Hub API tokens or ssh keys). The skill declares no required binaries or credentials, which is unexpected for the stated purpose.
!
Instruction Scope
Runtime instructions tell the agent to inspect branch state, diffs, and existing PR state and then create or update PRs. Those operations imply reading repository state and interacting with an external git hosting service, but the skill doesn't specify which host or how to authenticate. The guardrails are reasonable but high-level; the skill grants the agent open discretion to determine 'relevant changes' to stage/commit.
Install Mechanism
Instruction-only skill with no install spec and no code files — lowest installation risk. There is nothing being downloaded or written to disk by the skill bundle itself.
!
Credentials
The skill requests no environment variables or config paths, yet performing remote PR operations normally requires credentials (API tokens or SSH keys) or a CLI (gh) that uses stored credentials. The omission is disproportionate/ambiguous: either the skill assumes existing host-level credentials (not declared) or it lacks a mechanism to create PRs as claimed.
Persistence & Privilege
always is false and the skill is user-invocable with normal autonomous invocation allowed. It does not request persistent installation or elevated platform privileges.
What to consider before installing
This skill appears to implement a normal git commit/push/PR workflow, but it omits key operational details. Before installing or using it: 1) Confirm which git hosting provider (GitHub/GitLab/Bitbucket) it will interact with. 2) Ask whether it requires the git CLI, the provider's CLI (e.g., gh), or specific environment credentials (GITHUB_TOKEN, GITLAB_TOKEN, or access to SSH keys). 3) Require explicit confirmation prompts before staging, committing, pushing, or creating PRs (especially pushes to remotes). 4) Run it in a safe/forked repository first and verify its behavior. 5) If you need stricter controls, request the skill declare required binaries and credentials or restrict it from performing remote PR creation automatically.

Like a lobster shell, security has layers — review code before you run it.

claude-codevk977xdxsknqw6jb05ap38wmp318422brextractedvk977xdxsknqw6jb05ap38wmp318422brlatestvk977xdxsknqw6jb05ap38wmp318422br

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments