ClawHub

Smart Commit

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This text-only skill drafts commit messages, PR descriptions, and release notes from code changes; its broad triggers need attention, but no hidden code execution or data transfer was found.

Install this if you want an agent to draft commit messages, PR descriptions, and release notes. In sensitive repositories, explicitly confirm before allowing it to inspect diffs or commit history, and tell the agent which output language to use.

SkillSpector (3)

By NVIDIA

Natural-Language Policy Violations

Medium
Confidence
83% confidence
Finding
Automatically choosing output language based on inferred project language without user consent can cause the agent to override explicit user preference or leak contextual inferences about the repository into generated output. In an agent setting, silent automatic behavior reduces user control and can lead to misleading or unexpected outputs in mixed-language or sensitive repos.

Natural-Language Policy Violations

Medium
Confidence
87% confidence
Finding
The configuration section states that language detection happens automatically with no user choice, reinforcing a non-consensual behavior pattern. While not directly enabling code execution, this can undermine user intent, cause incorrect outputs, and in some contexts expose inferred project characteristics that the user did not ask the agent to reveal or use.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger conditions are broad enough to activate on common developer phrases like 'commit', '提交', 'PR描述', or 'changelog', which can cause the skill to be invoked in situations where the user did not explicitly request commit-message generation. This can lead to unintended context capture or inappropriate workflow steering, especially in environments where skills may read repository diffs or suggest git commands based on vague conversational cues.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal