ClawHub

Git Manager

Security checks across malware telemetry and agentic risk

Overview

This is a legitimate Git automation skill, but it needs Review because it can make lasting repository changes and includes under-scoped or misleading guidance for destructive Git, LFS, and token-handling workflows.

Install only if you want an agent to run powerful Git operations on your repositories. Use least-privilege tokens through a credential helper or protected environment variable, not in command lines or clone URLs. Review and explicitly approve reset, clean, rebase, batch pull, push, remote changes, and LFS migration commands; use dry-run, limits, filters, backups, or temporary branches before bulk changes. Avoid the LFS migrate --to git path until that behavior is fixed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (9)

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The document explicitly recommends embedding an access token directly into an HTTPS clone URL. This is unsafe because such URLs can be exposed through shell history, process listings, logs, config files, terminal scrollback, screenshots, and accidental copy/paste, creating a real risk of credential leakage.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The code comment and CLI help claim token fallback via environment variables, but the actual lookup is broken because env_map keys are lowercase while args.platform.upper() is used. This can cause operators to believe authentication is in effect when it is not, leading to accidental unauthenticated requests, incomplete repository sets, or use of alternate credential mechanisms under false assumptions.

Vague Triggers

Medium
Confidence
78% confidence
Finding
The activation guidance says to use this skill for essentially any multi-repo management, synchronization, or Git workflow automation task, which is overly broad for a skill that can modify repositories, contacts remote services, and uses credentials. Overbroad routing increases the chance the agent invokes powerful destructive operations in situations where a narrower, read-only, or confirmation-gated tool would be safer.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill documents destructive commands such as reset, including hard reset to prior commits, without an explicit warning that these actions can permanently discard local changes and history references from the working tree. In an agent setting, such omissions are dangerous because users may request general repository help and the agent could apply irreversible commands without sufficiently informed consent.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documented clean operation force-deletes untracked files and directories, yet the skill does not provide a strong explicit safety warning that these files may be unrecoverable. Because the skill is intended for automation, an agent could remove build artifacts, drafts, secrets, or local work product from the repository directory with no confirmation barrier.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The authentication examples show bearer tokens in documentation without nearby warnings about secret handling, storage, masking, or least privilege. In a Git automation skill, users are likely to copy examples directly, so omission of safety guidance materially increases the chance of leaking credentials during routine use.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The examples explicitly show access tokens passed on the command line, which can expose credentials via shell history, process listings, audit logs, screenshots, and terminal recording tools. In a Git automation skill that encourages bulk operations across many repositories and platforms, this pattern increases the chance users will copy insecure practices and leak high-value tokens with broad repository access.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The batch pull examples promote update operations such as --rebase and --stash without warning that they can alter working trees, temporarily move local changes, create merge/rebase conflicts, or rewrite local history. In a tool designed for multi-repo automation, omissions like this are more dangerous because one command can affect many repositories at once, amplifying the risk of accidental data loss or workflow disruption.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
When --lfs is enabled, the script silently appends tracking rules to .gitattributes inside cloned repositories. In a batch Git-management skill, modifying repository contents without an explicit warning or opt-in at the point of change can alter future commit behavior across many repos and may lead to unintended data handling or commits of configuration changes.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal