Effective Git

ReviewAudited by ClawScan on May 1, 2026.

Overview

The artifacts show a coherent Git assistant with no exfiltration behavior, but its shortcuts can change commits or branches and it saves local diff snapshots, so use it deliberately.

This skill appears appropriate for Git workflow assistance. Before using it, be comfortable with an assistant running Git commands in your repository, review quick commands before commit/amend/stash/delete operations, confirm branch and commit details before any push, and clean up saved diff files if they contain sensitive information.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Medium

#ASI02: Tool Misuse and Exploitation

What this means

A shortcut command could modify the local repository, stage untracked files, or rewrite the last local commit.

Why it was flagged

The quick helper directly stages all files, commits, and amends the last commit. This is aligned with a Git assistant, but it can change repository history or include unintended files if invoked casually.

Skill content

"c"|"commit") ... git add -A ... git commit -m "$ARG" ... "c:a"|"ca") ... git commit --amend --no-edit

Recommendation

Use quick commit/amend only after reviewing git status and diff; prefer the full workflow for important commits or shared branches.

Medium

#ASI03: Identity and Privilege Abuse

What this means

If approved, the skill can publish commits to a remote branch visible to collaborators or automation.

Why it was flagged

The skill can update a remote repository using the user's configured Git credentials. The artifact does scope this to the current branch and requires confirmation.

Skill content

Before pushing:
1. Confirm current branch: `git branch --show-current`
2. Show what will be pushed: `git log origin/$(git branch --show-current)..HEAD --oneline`
3. Ask user to confirm
4. Push: `git push origin HEAD`

Recommendation

Before approving a push, verify the current branch, remote, and commit list shown by the assistant.

Low

#ASI06: Memory and Context Poisoning

What this means

Sensitive local changes may remain in saved diff files after conflict-resolution work.

Why it was flagged

The conflict workflow stores local diff snapshots under .git/merge-diffs. This is useful for rollback and review, but diffs may contain sensitive code, secrets, or private changes.

Skill content

DIFF_DIR=".git/merge-diffs"
...
git diff HEAD > "$DIFF_FILE"

Recommendation

Review and delete saved diff snapshots if they contain secrets or private content, and avoid sharing them unintentionally.