ClawHub

Using Git Worktrees

Security checks across malware telemetry and agentic risk

Overview

This skill is not malicious, but it should be reviewed because it can automatically change git history and run dependency/build/test commands without an approval step.

Install only if you want agents to create and prepare git worktrees automatically. For untrusted or sensitive repositories, tell the agent to ask before editing .gitignore, creating commits, installing dependencies, building, or running tests.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (4)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill's stated purpose is to create an isolated worktree, but it also instructs the agent to modify repository state by editing and committing .gitignore. That introduces an unrelated write/commit side effect that can silently change project history and policy, which is risky when the user only asked for workspace setup.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The skill expands from creating a worktree into automatically installing dependencies and running tests, which can execute untrusted project code and trigger network access, filesystem writes, hooks, or expensive operations. Those actions materially exceed the narrow setup purpose and increase the blast radius of invoking the skill.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
Requiring modification and commit of .gitignore without explicit confirmation causes the agent to change tracked repository content and create a commit autonomously. Silent commits are a significant safety issue because they affect version history, may trigger CI or policy workflows, and can be hard for users to notice immediately.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
Automatically running npm install, pip install, poetry install, cargo build, or go mod download can fetch remote code and execute install/build scripts from the target repository or its dependencies. In a security context, this is dangerous because the repository contents are adversarial by default and these commands can cause arbitrary code execution or persistent local changes.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal