Changelog Generator
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill matches its changelog-generation purpose and only shows purpose-aligned local git usage plus optional file output.
This skill appears safe for its stated purpose. Before installing or using it, make sure Python 3 and git are available, run it only against repositories you intend to summarize, and check the output path if writing to a file.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill can read private repository commit history and write or overwrite a changelog file where directed.
The skill invokes local git commands and can write generated output to a user-provided file path. This is central to its stated purpose and uses argument lists rather than shell execution, but users should still verify the repo and output path.
cmd = ["git"] + args ... subprocess.run(cmd, capture_output=True, text=True, cwd=cwd, timeout=30) ... Path_obj.write_text(output)
Run it only on intended repositories, review generated content before sharing, and confirm the output path before using the -o/--output option.
An installer may not warn that git must be available, so the skill may fail until git is installed.
The script requires a git binary, while the registry requirements list no required binaries. SKILL.md does mention 'Python stdlib + git,' so this appears to be a metadata completeness issue rather than hidden behavior.
cmd = ["git"] + args ... except FileNotFoundError: print("Error: git not found in PATH", file=sys.stderr)Declare git as a required binary in metadata and ensure Python 3 and git are available before use.