ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

git-release-notes

v1.0.0

Generate polished release notes and changelogs from git history. Analyzes commits between tags/refs, categorizes changes (features, fixes, breaking changes,...

0· 57·0 current·0 all-time
by@charlie-morrison
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's stated purpose (generate release notes from git history) matches the included script and SKILL.md workflow. However, the files rely on git and python3 (git log and an inline Python JSON serializer) even though the skill metadata declares no required binaries; that omission is an inconsistency the author should have declared.
Instruction Scope
SKILL.md instructions are narrowly scoped to reading git history between refs, categorizing commits, and formatting output. It does not instruct the agent to read unrelated system files, environment variables, or send data to external endpoints.
Install Mechanism
This is an instruction-only skill with a small bundled script. There is no install spec and no remote downloads. The script runs local git and Python commands and writes only to stdout; no installation actions are performed by the skill itself.
Credentials
No environment variables or external credentials are requested (OK). But the script extracts and emits author emails and other commit metadata in full JSON — reasonable for release notes or contributor lists, but it may expose private email addresses or other sensitive commit details. The skill does not declare or warn about this privacy exposure.
Persistence & Privilege
The skill does not request persistent presence (always:false) or elevated privileges and does not modify other skills or system config. Autonomous invocation is allowed by default (normal).
What to consider before installing
This skill is mostly coherent for generating release notes, but review the included script before running. Specific checks: 1) It uses git and python3 even though the metadata lists no required binaries — ensure those are available and intended. 2) The script emits author email addresses and full commit bodies in JSON; if you plan to run it against repos containing private emails or sensitive commit messages, remove or mask the email/body fields. 3) Because it’s an instruction-only skill with an embedded script, run it in a safe environment (or a copy of the repo) first to confirm behavior. If you don’t trust the source, don’t run it against sensitive repositories. Finally, you may ask the author to update the metadata to declare required binaries (git, python3) and to add an option to omit emails/body for privacy.

Like a lobster shell, security has layers — review code before you run it.

latestvk97fd5pxvsfeqfzn54kq1bsngn84kvpc

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments