Commit Analyzer
PassAudited by ClawScan on May 1, 2026.
Overview
This skill appears to read local Git commit history and report activity metrics, with no evidence of data exfiltration, credential use, or destructive behavior.
This skill looks safe for its stated purpose. Before installing, verify any external clone source, run it only in the Git repository you intend to analyze, and be deliberate about enabling the optional heartbeat memory log.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill can reveal local project activity patterns and commit metadata in its reports.
The skill invokes the local Git CLI to read repository commit history. This is central to the stated purpose and does not mutate data, but it means the skill should be run only in repositories the user intends to analyze.
git log --since="$days days ago" --oneline 2>/dev/null | wc -l | tr -d ' '
Run it only in the intended Git repository and review output before sharing it outside your workspace.
Installing from the external repository could fetch code that differs from the reviewed files.
The README offers an external GitHub clone path. This is user-directed and not executed by the skill, but it is an unpinned external source compared with the reviewed artifact set.
git clone https://github.com/bobrenze-bot/commit-analyzer.git
Install the reviewed version when possible, or verify the GitHub repository and commit before cloning.
If enabled, commit-health summaries may remain in persistent agent memory or logs.
The documented heartbeat integration suggests persisting analysis results in a memory file. This is purpose-aligned, but persistent summaries can be reused later and may encode private activity patterns.
Log: Append result to memory/heartbeat-state.json
Use the heartbeat logging only if you want this activity data persisted, and avoid storing sensitive repository details in shared memory.