ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Commit code safe and nice

v1.0.0

Smart git commit with remote sync, amend intelligence, and conventional commits. Use when the user asks to commit changes, stage and commit, "/commit", save...

0· 50·0 current·0 all-time
byHugo Gu@hugogu
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description match the git commands and flow in SKILL.md (fetch, rebase, diff, amend/new commit, generate conventional commits). However, the SKILL.md prescribes embedding agent/model info into commit footers and instructs the skill to 'TRIGGER' on any mention of committing — this aggressive trigger behavior is not reflected in the registry metadata (always:false) and feels disproportionate to a simple commit helper.
!
Instruction Scope
Instructions include running repository-wide commands (git fetch/pull/rebase, git add -A, git push) and rely on the agent's 'judgment' to stage changes while also telling it to avoid secrets. This is ambiguous and grants broad discretion: a blanket git add -A can stage secrets accidentally; automatic rebase/pull and push behavior can expose private data or rewrite history without an explicit, enforced confirmation step. The SKILL.md's required trigger behavior ('TRIGGER this skill whenever the user mentions committing') is overly broad and risks unintended commits or pushes.
Install Mechanism
Instruction-only skill with no install steps and no code files. Lowest installation risk — nothing is written to disk by a package mechanism.
!
Credentials
The skill asks the agent to append 'Co-authored-by: Claude <noreply@anthropic.com>' and 'AI-model: <model-id>' using 'what's available from the environment' but declares no required environment variables. Expecting model or system context without declaring required env vars is an untracked data request. Including model identifiers and a fixed vendor email in commits may leak internal runtime metadata to remote Git servers and seems unnecessary for a generic git helper.
Persistence & Privilege
Metadata does not request always:true and the skill is user-invocable only — appropriate. However, combined with the SKILL.md's instruction to trigger on casual mentions and to perform networked operations (fetch/pull/rebase/push), autonomous invocation (the platform default) would give this skill the ability to modify and push remote repositories without strong explicit confirmation. That combination raises operational risk even though no permanent presence or special privileges are requested.
What to consider before installing
This skill appears to implement a helpful commit workflow but has practical risks. Before installing or enabling it: 1) Require explicit user confirmation before any git pull/rebase or push — do not allow automatic network operations on casual mentions. 2) Remove or make optional the automatic 'git add -A' and instead present a staged-file selection to the user; ensure it never stages known secret files by default. 3) Make the inclusion of AI-model or vendor info in commit footers optional and clearly documented — this can leak runtime/model metadata to remote servers. 4) Test the skill in a disposable repository to observe behavior (especially rebase/abort flows). 5) If you do enable autonomous invocation, restrict triggers (do not trigger on every mention of 'commit' — require a command/confirmation). These changes would reduce the risk of accidental data exposure or unwanted pushes.

Like a lobster shell, security has layers — review code before you run it.

latestvk970rc1fyyt3v9edjj60rftpy1841vk4

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments