Gitbuddy
Security checks across static analysis, malware telemetry, and agentic risk
Overview
GitBuddy appears to be a local offline logging helper rather than a full Git automation tool; its main things to notice are persistent local logs and export behavior.
This looks acceptable for an offline local development logbook. Before installing, understand that it records command inputs under `~/.local/share/gitbuddy/`; avoid entering secrets, and treat exports as files that may need review before sharing.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anything the user or agent records, including sensitive code-review details or secrets accidentally included in text, may remain in local log files.
The skill intentionally persists user-provided development notes and activity history for later viewing, searching, and export.
All data is stored locally at `~/.local/share/gitbuddy/`. Each domain command writes to its own log file ... A unified `history.log` tracks all actions across commands.
Use it for non-secret development notes, avoid logging credentials or private tokens, and periodically review or delete `~/.local/share/gitbuddy/` if needed.
A user or agent might invoke it expecting real Git branch cleanup or repository analysis, when the visible behavior is logging and reporting on its own stored entries.
The headline description suggests Git utilities such as branch cleanup, while the detailed instructions describe a local activity logger. The detailed behavior is disclosed, but the positioning could create incorrect expectations.
description: "Extend Git with utilities for changelogs, branch cleanup, and repo stats." ... "Each domain command works in two modes: log mode ... saves a timestamped entry, view mode ... shows the 20 most recent entries."
Treat GitBuddy as a local development logbook unless separate reviewed artifacts show actual Git automation.
Exports may be malformed or unsafe to open in spreadsheet tools if log entries contain quotes, commas, newlines, or formula-like text.
User-controlled log values are exported into JSON and CSV formats without visible escaping or quoting.
printf ' {"type":"%s","time":"%s","value":"%s"}' "$name" "$ts" "$val" >> "$out" ... echo "$name,$ts,$val" >> "$out"Inspect exported files before sharing or opening them in spreadsheet software, especially if entries include untrusted text.