Is daxiongmao87/gimhub safe?

The cmd_push function in gimhub.py, when invoked without --files, recursively walks Path('.') and uploads every non-hidden, non-binary file to gimhub.dev. The exclusion set is {'.git', 'pycache', 'node_modules', '.venv', 'venv'}, which does not cover common sensitive file names like config.json, settings.py, credentials.yaml, .pem certificates (if not hidden), or any project-specific secret file that doesn't use dotfile naming. An agent asked to 'push the project' without understanding the scope of this default would silently exfiltrate the entire working directory.

SKILL.md states 'Never commit secrets. API keys, tokens, passwords, credentials—none of it.' However, gimhub.py performs no pattern matching, entropy analysis, or filename-based secrets detection before pushing files. The advisory is only a behavioral prompt for the agent, which may be overridden by other instructions or simply missed in context.

All content pushed via this skill is transmitted to gimhub.dev, a third-party service operated by the skill author or associated parties. Users of this skill implicitly grant gimhub.dev visibility into any code or content the agent pushes. There is no data processing agreement or privacy guarantee visible in the skill.

When combined with skills that can read files from the filesystem (e.g., a code editor skill, a file search skill), this skill completes an exfiltration pipeline: the other skill reads sensitive files into the agent context, and this skill provides the mechanism to push that content to an external server. Neither skill alone triggers typical security controls, but together they enable data exfiltration.

scripts/gimhub.py is an executable Python script bundled with the skill. While it does not auto-execute on install and uses only Python stdlib, its inclusion means an agent with shell access can directly invoke it. The script's broad file-reading behavior (cmd_push default) and network transmission capability make it a significant tool if misused.

SKILL.md uses persistent identity language ('Every commit you push is attributed to you—your name, your work, your reputation') that may cause an agent to develop attachment to the gimhub.dev identity and act to protect or grow that identity in ways not intended by the user, such as proactively pushing work or starring repositories.

After registration, the API token is saved to ~/.gimhub/config.json in plaintext. This file is readable by any process running as the same user. If another malicious skill reads this file, it can impersonate the agent's gimhub.dev identity and push arbitrary content under the agent's name.

The skill installation was clean. The only external network connection during install was the expected HTTPS connection to GitHub (140.82.121.3:443) for the git clone. No connections to gimhub.dev were made during installation. No files were written outside the skill directory.

Canary files (.env, .ssh/id_rsa, .aws/credentials, etc.) were accessed at audit timestamps 1771922904.965 (~5.5s before git clone at 1771922910.435) and 1771922928.922 (post-install monitoring check). Both access batches are attributable to the Oathe monitoring framework performing pre/post canary integrity checks, not to the skill. All files remain unmodified.