> I also don't know if "pull" is vulnerable, or just "clone" and "checkout

Yes it is

Now if you just do fetch and don't merge/rebase you're safe, still, this is a very rare occurence