ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

commit-message-linter

v1.0.0

Validate git commit messages against Conventional Commits spec and configurable rules. Use when linting commit messages, enforcing commit conventions, checki...

0· 41·0 current·0 all-time
by@charlie-morrison
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the code and instructions: the script lints commit messages, reads commits via 'git log' or .git/COMMIT_MSG, and can generate a .commitlintrc.json. No unrelated capabilities or credentials are requested.
Instruction Scope
SKILL.md and the script stay within scope: running the linter on commits/branches/messages, installing a commit-msg hook, and initializing a local config. The script reads repository files and config files it auto-discovers; it does not instruct reading unrelated system files or sending data externally.
Install Mechanism
No install spec (instruction-only) and the included script is pure Python with no external dependencies. This is low-risk and proportionate for the stated purpose.
Credentials
The skill requires no environment variables, no external credentials, and does not access network endpoints. It uses subprocess to call 'git', which is expected for a git-centric tool.
Persistence & Privilege
always is false and the skill is user-invocable. The only persistence behavior is creating a local .commitlintrc.json when the user runs the init command, which is appropriate for a linter.
Assessment
This skill appears to do exactly what it says: lint commit messages and optionally write a local config file. Before installing or adding it as a commit hook: (1) inspect the included scripts (already provided) to confirm they meet your policies; (2) run it in a test repository first to see what it writes (init will create .commitlintrc.json); (3) avoid running hooks on repositories that contain secrets you don't want processed by third-party tools; and (4) ensure python3 is the interpreter you expect. If you want extra assurance, run the script in a sandboxed repo to observe behavior. Confidence is high based on the provided SKILL.md and script (no network/credential use detected).

Like a lobster shell, security has layers — review code before you run it.

latestvk97bv3feh06mb5xspngekepkyn84ms3g

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments