Git Assistant
WarnAudited by ClawScan on May 10, 2026.
Overview
This skill mostly matches its Git-helper purpose, but one visible command builds a shell command from a tag argument and runs it with eval, which could execute unintended commands.
Review this skill before installing. It appears purpose-aligned and read-only for git operations, but the eval usage in the changelog command should be fixed before using it on untrusted repositories or tag names. Also avoid sending diffs that contain secrets or confidential code to the external AI service.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the changelog command on a maliciously crafted tag or argument could run unintended shell commands in the user's environment.
The user-supplied --from value is interpolated into a shell command string and then executed with eval. Even though git rev-parse is called, shell metacharacters in a crafted ref/tag name could still be interpreted by the shell.
--from) from_tag="${2:-}"; shift 2 ;;
...
log_cmd="$log_cmd ${from_tag}..HEAD"
...
log_output=$(eval "$log_cmd" 2>/dev/null)Remove eval and call git with an argument array, for example: git log --oneline --no-merges "${from_tag}..HEAD" or an equivalent quoted array-based command.
The EvoLink API key may grant access to the user's EvoLink account or quota, so it should be treated as a secret.
The skill requires an EvoLink API key and sends it as the provider authentication header. This is expected for the disclosed integration and no unrelated credential use is shown.
local api_key="${EVOLINK_API_KEY:?Set EVOLINK_API_KEY for AI features. Get one at https://evolink.ai/signup}"
...
-H "x-api-key: $api_key"Use a provider-specific, revocable API key and avoid pasting it into shared logs, prompts, or repositories.
Staged diffs, commit history, or branch changes may leave the local machine and be processed by EvoLink/Claude.
The skill clearly discloses that repository diffs or commit history are sent to an external AI service. This is purpose-aligned, but repository data can contain proprietary code or secrets.
AI commands send git diff output or commit history to `api.evolink.ai` for analysis by Claude.
Before using AI commands, review staged changes and history for secrets or confidential code; use the local conventions command when no external transmission is desired.