Git Security Scanner
PassAudited by ClawScan on May 1, 2026.
Overview
This is a coherent, user-directed repository security scanning skill, with normal cautions around external tool installs, reports that may contain secrets, and optional pre-commit hooks.
Before installing, verify the external tools you install, confirm the expected `git-security-scan` command is actually provided, protect any generated reports as sensitive, and only enable the pre-commit hook in repositories where you want commits blocked on high-severity findings.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The scanner may reveal real credentials in terminal output or saved reports.
The skill is explicitly designed to locate credentials and other secrets in repositories. This is purpose-aligned, but it means scan output and reports may expose sensitive material to anyone who can view them.
Secrets (gitleaks + shipguard SEC rules): - API keys ... - Database connection strings with embedded passwords - SSH private keys and PEM files - JWT tokens and session secrets
Run it only on repositories you are authorized to inspect, and store or share generated reports carefully.
After installation, commits in that repository may be blocked until reported issues are fixed or the hook is changed.
The hook is persistent behavior inside the repository and can affect future commits. It is clearly disclosed and user-directed, so this is a notice rather than a concern.
This installs a pre-commit hook in the current repo that runs `git-security-scan --staged-only --severity high` on every commit. Commits with critical or high severity findings are blocked.
Install the hook only in intended repositories and review the hook/configuration if commits are unexpectedly blocked.
Installing or updating the external scanner can bring in code outside the reviewed skill artifact.
The skill relies on an external Python package installed without a pinned version. This is expected for a wrapper-style scanner, but users should verify the package source and version.
pipx install shipguard # or: pip install shipguard
Install scanner dependencies from trusted sources, prefer pinned or known-good versions where possible, and verify the `git-security-scan` command installed on your system.