ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

TOSR Publish Then Update Test

v0.1.1

Professional code review and Git commit workflow management. Use this skill when users mention 'push', 'commit', '提交', or any Git submission operations. Prov...

0· 57·0 current·0 all-time
byyuangui@yinwuzhe
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The name/description (Git commit/push workflow and code review) aligns with the instructions: git commands, code review, commit message generation, build checks and secret scanning. The included helper files are placeholders and consistent with a documentation/example-focused skill.
!
Instruction Scope
SKILL.md contains a direct contradiction: 'NEVER automatically commit or push code without explicit user approval.' but Step 1 instructs auto-committing existing uncommitted changes via 'git add .; git commit -m "chore: 保存当前工作进度"' without requesting confirmation. That gives the agent permission to modify the repo state locally without explicit user consent. The instructions also impose always-running 'go build' (assumes a Go project) and mandate Chinese commit messages, which are opinionated and may be inappropriate; and they suggest changing remotes to SSH (a potentially destructive git config change) rather than merely advising. These are scope/behavior mismatches and need clarification/tying to explicit user approvals.
Install Mechanism
No install spec; instruction-only skill with a tiny example script and placeholder assets. Nothing is downloaded or installed, which is low risk.
Credentials
The skill declares no required environment variables, credentials, or config paths. The recommended actions (git, go build) use local tooling and the repo; no hidden credential requests are present. Note: suggesting SSH remote usage implicitly assumes SSH keys are configured but does not request them.
Persistence & Privilege
always is false and the skill is user-invocable with normal autonomous invocation allowed. The skill does not request persistent system-wide modifications beyond running git commands in the repo. However, because it can run git operations, the contradiction about auto-commit increases operational risk if executed without clear confirmations.
What to consider before installing
This skill generally matches its stated purpose, but do not install/run it as-is without changes. The SKILL.md both forbids automatic commits and then prescribes an automatic local commit step — clarify which behavior is intended. Before using: (1) require that the skill always prompt and receive explicit, per-action user approval before running any git add/commit/pull/push or changing remotes; (2) confirm that running 'go build' is appropriate for the target repository (it assumes a Go project); (3) be cautious about the suggestion to convert remotes to SSH — do not let the agent run git remote set-url without explicit user consent and understanding of the repo; (4) if you need non-Chinese commit messages or different workflows, update the skill instructions; (5) test in a disposable clone of a repo first so accidental local commits or config changes do not affect important work. The included example script is inert/placeholder and there are no declared secrets or download steps, but the contradictory auto-commit behavior is the primary red flag that needs addressing before trusting the skill to operate on real repositories.

Like a lobster shell, security has layers — review code before you run it.

latestvk97b422ahw7ee5fpssgr1j7qgn83hxhrlatest 1 2vk97b422ahw7ee5fpssgr1j7qgn83hxhr

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments