Git Assistant
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the changelog command on a maliciously crafted tag or argument could run unintended shell commands in the user's environment.
The user-supplied --from value is interpolated into a shell command string and then executed with eval. Even though git rev-parse is called, shell metacharacters in a crafted ref/tag name could still be interpreted by the shell.
--from) from_tag="${2:-}"; shift 2 ;;
...
log_cmd="$log_cmd ${from_tag}..HEAD"
...
log_output=$(eval "$log_cmd" 2>/dev/null)Remove eval and call git with an argument array, for example: git log --oneline --no-merges "${from_tag}..HEAD" or an equivalent quoted array-based command.
The EvoLink API key may grant access to the user's EvoLink account or quota, so it should be treated as a secret.
The skill requires an EvoLink API key and sends it as the provider authentication header. This is expected for the disclosed integration and no unrelated credential use is shown.
local api_key="${EVOLINK_API_KEY:?Set EVOLINK_API_KEY for AI features. Get one at https://evolink.ai/signup}"
...
-H "x-api-key: $api_key"Use a provider-specific, revocable API key and avoid pasting it into shared logs, prompts, or repositories.
Staged diffs, commit history, or branch changes may leave the local machine and be processed by EvoLink/Claude.
The skill clearly discloses that repository diffs or commit history are sent to an external AI service. This is purpose-aligned, but repository data can contain proprietary code or secrets.
AI commands send git diff output or commit history to `api.evolink.ai` for analysis by Claude.
Before using AI commands, review staged changes and history for secrets or confidential code; use the local conventions command when no external transmission is desired.