Skillv1.0.0

ClawScan security

Commit Poetry · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 5, 2026, 12:16 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's claims (turn a git history into poems) match what its instructions imply and it asks for no extra installs or credentials, but it will need access to your repository content so review what data you allow it to read.
Guidance: This skill appears coherent and low-risk: it simply turns git history into poetry and requires no installs or credentials. Before installing or running it, confirm the agent will only read repositories you are comfortable exposing (commit messages and branch names can contain sensitive data). If you run agents in an environment with access to multiple repos or organization-wide data, consider running Commit Poetry on a cloned repository that excludes secrets or on a local machine rather than a shared/cloud agent. Also check whether the agent will make commits or modify files — SKILL.md shows read-only examples, but be cautious if you see runtime instructions that perform checkouts, commits, or network uploads.

Purpose & Capability: okThe name/description promise (convert git history into poetry) matches the SKILL.md content, which shows mapping commit messages, branch names, and git logs into poetic forms. There are no unrelated dependencies, credentials, or install steps requested.
Instruction Scope: noteSKILL.md is instruction-only and repeatedly references reading git history (commit messages, git log --follow, branch names, etc.). That is within the stated purpose, but the document is somewhat high-level/vignette-like rather than a strict, minimal runtime spec — it grants the agent broad discretion to traverse repository history and files. If your repo contains sensitive commit messages or secrets, be aware the agent will need read access to them.
Install Mechanism: okNo install spec and no code files — nothing is written to disk or fetched at install time. This is the lowest-risk class of skill from an installation perspective.
Credentials: okThe skill declares no required environment variables, credentials, or config paths. That is proportional to the intended functionality of reading local git history and producing text.
Persistence & Privilege: okalways is false and the skill does not request elevated or persistent privileges. It does not modify other skills or system settings according to the provided metadata.