ClawHub

Finishing a Development Branch

Security checks across malware telemetry and agentic risk

Overview

This is a legitimate git workflow skill, but contradictory cleanup instructions could remove a local worktree after the user chose to create a pull request.

Review this skill before installing if you use git worktrees. It is not malicious, but before choosing merge, PR, or discard, verify the branch, base branch, remote, GitHub account, and worktree path. Treat Option 2 carefully because the instructions disagree about whether the local worktree should be removed after creating the PR.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The Quick Reference says Option 2 (Create PR) keeps the worktree, but Step 5 states cleanup occurs for Options 1, 2, and 4. This internal contradiction can cause the agent to remove a worktree after opening a PR, potentially deleting an active workspace the user expected to preserve and leading to disruption or data loss in local, uncommitted state.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The Common Mistakes section says not to clean up automatically for Option 2, while Step 5 explicitly instructs cleanup for Option 2. Contradictory operational instructions are dangerous in an agent skill because they can produce inconsistent execution paths, including unintended workspace removal after remote publication.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The 'Always' section states cleanup should happen only for Options 1 and 4, contradicting Step 5 which includes Option 2. This mismatch increases the chance that an implementation will perform destructive cleanup under one interpretation and preservation under another, making the skill unreliable and potentially harmful to user environments.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
Option 2 performs `git push` and `gh pr create`, which transmit code and descriptive metadata to a remote service, but the skill does not explicitly warn the user that local changes will be published externally. In a security-sensitive or private repository context, this can expose proprietary code, secrets, branch names, or implementation details without sufficiently informed consent.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal