git-conventions
PassAudited by ClawScan on May 1, 2026.
Overview
This is a simple instruction-only Git workflow skill with no code, install steps, credentials, or hidden behavior; its Git push and sign-off rules are disclosed and user-controlled.
This skill appears safe for normal Git workflow guidance. Before installing, make sure you are comfortable with always using Git sign-offs and with being prompted before publishing commits to a remote repository.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the user approves a push or force-push, changes may be published to a remote repository or shared history may be rewritten.
The skill governs remote Git operations, including force-pushes that can affect shared repository history, but it explicitly requires user confirmation rather than automatic pushing.
Always confirm before `git push --force` ... ALWAYS prompt the user whether they want to push to the remote repository.
Only approve pushes when the branch, remote, and intended changes are clear; keep the force-push confirmation requirement.
Commits may include the user's configured name and email and may be interpreted as a Developer Certificate of Origin sign-off.
Using --signoff appends the configured Git name and email to commit messages, creating a persistent identity attestation in repository history.
Include `--signoff` flag with all commits.
Use this skill only if sign-off is appropriate for the repository, and confirm the Git identity configured on the machine.