Pluginv0.1.0

ClawScan security

skill-git-official · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 30, 2026, 11:22 AM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill's high-level purpose (git-like management of local skills) matches its behavior, but the runtime instructions and shipped scripts perform broad filesystem reads, destructive git operations, and include prompt-injection indicators while the declared requirements are incomplete — review before installing.
Guidance: What you should consider before installing: - Review the shipped shell scripts (scripts/sg-*.sh) yourself. They will be executed by the agent and perform git operations, create/modify ~/.skill-git/config.json and caches, and read many files under ~ and project directories. - Expect the tool to run git and other CLI utilities (git, ps, find, stat, cp). The package metadata does not declare 'git' as a required binary — ensure git is installed and verify the scripts' assumptions. - The skill reads full contents of untracked files and includes them in change summaries. If you keep secrets or credentials inside any SKILL.md or related files, those may be exposed to the agent UI or logs. Remove or move secrets before running. - The tool can perform destructive actions (git reset --hard, tag deletion, overwrites). Always keep backups and test in a sandbox or on a copy of your skills first (or run /skill-git:init against a non-production directory). - Prompt-injection indicators were found in SKILL.md (ignore-previous-instructions, unicode control chars). This is unexpected — inspect SKILL.md for hidden characters and any unusual instructions before trusting autonomous invocation. - If you are comfortable, run the scripts manually step-by-step rather than granting the skill autonomous invocation. Limit the agent's permission to run the skill autonomously until you've audited behavior. If you want, I can highlight specific lines in the included scripts and command docs that perform file reads, include file contents in outputs, or run destructive git commands.
Findings: [prompt-injection:ignore-previous-instructions] unexpected: The SKILL.md contains patterns that attempt to override or ignore prior instructions — not expected for a local git-management tool and could indicate an attempt to manipulate the agent's runtime behavior. [unicode-control-chars] unexpected: Unicode control characters were detected in SKILL.md content. These are unusual in legitimate docs and can be used to obfuscate or inject hidden instructions.

Review Dimensions

Purpose & Capability: concernThe skill claims to version-control and merge local skills, which legitimately requires reading/writing skill directories and running git. However the registry metadata lists no required binaries or env vars even though the runtime docs and scripts invoke git, ps, stat, find, and bash. The absence of a declared 'git' requirement (and other CLI tools used) is an incoherence that increases risk.
Instruction Scope: concernThe SKILL.md and command documents instruct the agent to scan the user's skill directories, read many config files (project/global agent configs, installed_plugins.json), include full contents of untracked files in summaries, and run destructive git operations (reset --hard, tag deletion). Those actions are within the stated purpose but have broad scope (reads arbitrary files under user home and project directories, assembles file contents) and can surface sensitive data. The pre-scan found prompt-injection patterns (ignore-previous-instructions, unicode-control-chars) in the SKILL.md — that is unexpected and suspicious.
Install Mechanism: noteNo install spec (instruction-only) — lowest install risk — but the package includes many shell scripts that the agent will run at runtime (sg-init.sh, sg-git.sh, sg-prelude.sh, etc.). Because nothing is installed through an external download, there is no hidden network-install risk, but runtime execution of included scripts means local code will be executed when commands run.
Credentials: concernThe skill declares no required env vars or credentials. In practice it expects plugin runtime variables (CLAUDE_PLUGIN_ROOT) and reads many user config paths (~/.claude, ~/.skill-git, installed_plugins.json, project config files). It also reads and includes untracked file contents — this level of file access can expose secrets stored in skill files. The requested access pattern is broader than the metadata implies.
Persistence & Privilege: notealways:false and user-invocable:true (normal). The skill writes to ~/.skill-git/ (config and cache) and performs git commits/tags/backups — this persistence is expected for a versioning tool. Still, allowlisting/autonomy controls are recommended because the skill can perform destructive operations if invoked.