Skillv1.0.0

ClawScan security

Summarize a person's git commits for a specific date, grouped by feature points, in English. Use when reviewing daily work output. · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 11, 2026, 1:59 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's instructions match its stated purpose (summarizing a user's git commits for a date) and do not request unrelated credentials or installs, though it implicitly requires a local git repository and the git binary which are not declared.
Guidance: This skill will run git commands in whatever working directory the agent is given, so it needs (1) the git binary available on PATH and (2) to be run inside the repository whose commits you want summarized. It will read commit messages, stats, and file paths — essentially reading repo history and metadata — so only use it where you are comfortable allowing the agent to view that code/logs. Also confirm how you want date boundaries handled (timezones) before relying on the summary, and ensure the author-name you pass matches git's author format used in your repo. Finally, because the registry metadata doesn't list git as a required binary, make sure your environment provides git and Bash before installing or invoking the skill.

Review Dimensions

Purpose & Capability: noteThe skill's name and description match the instructions (it runs git log, groups commits by feature areas, and formats a summary). However, the registry metadata lists no required binaries while the SKILL.md explicitly runs git commands — the skill implicitly requires access to a local git repository and the git binary being available on PATH. That omission is a minor coherence gap to surface to users.
Instruction Scope: okSKILL.md confines actions to running git log (with and without --stat) filtered by date and author, analyzing commit messages and file paths, and producing a grouped summary. It does not instruct reading unrelated system files, contacting external endpoints, or accessing credentials. One small ambiguity: it asks the agent to convert the YYYY.MM.DD input into git --after/--before timestamps but does not define timezone handling; the user/agent should ensure correct timezone boundaries when invoking the skill.
Install Mechanism: okThere is no install spec (instruction-only), so nothing will be downloaded or written to disk by an installer. This is low-risk. The only runtime requirement is that git is present in the environment and the agent can execute shell commands (Bash).
Credentials: okThe skill declares no environment variables or credentials, and the instructions do not access secrets. The main capability is read access to the repository and commit history, which is proportionate to the stated purpose.
Persistence & Privilege: okThe skill is not always-enabled and does not request elevated persistent privileges. Autonomous invocation is allowed (platform default), but there is no sign it attempts to modify agent/system configuration or other skills.