Gitignore Gen

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This looks like a normal .gitignore generator, but it fetches templates from GitHub and can write or overwrite local .gitignore files when instructed.

Safe to consider for normal use. Before installing, note that it needs python3, contacts GitHub to retrieve templates, stores a small cache, and can overwrite or append to local files if those flags are used.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#ASI02: Tool Misuse and Exploitation

Low

What this means

If used with --force, --append, or a custom output path, it can change an existing file in the selected location.

Why it was flagged

The skill can write, append to, or overwrite a local output file based on command flags. That is central to generating .gitignore files, but it is still local file mutation.

Skill content

p_gen.add_argument("--output", "-o", help="Output file path (default: ./.gitignore)") ... p_gen.add_argument("--append", "-a", action="store_true" ... p_gen.add_argument("--force", action="store_true" ... with open(outpath, "w") as f:

Recommendation

Review the target path and generated content before using --force or --append; use --stdout first if you want to inspect the result.

#ASI04: Agentic Supply Chain Vulnerabilities

Low

What this means

Generated ignore rules depend on GitHub template content and network availability.

Why it was flagged

The generated .gitignore content is fetched from GitHub's template API. This is disclosed and purpose-aligned, but it means output depends on a remote source.

Skill content

GITHUB_API = "https://api.github.com/gitignore/templates" ... urllib.request.urlopen(req, timeout=10)

Recommendation

Inspect the generated .gitignore before committing it, especially for important repositories.

#ASI04: Agentic Supply Chain Vulnerabilities

Info

What this means

The skill may not work in an environment without python3 even though no binary requirement is declared.

Why it was flagged

The registry metadata does not declare a Python runtime, while the SKILL.md examples invoke python3 to run the bundled script. This is a minor disclosure gap rather than hidden behavior.

Skill content

Required binaries (all must exist): none ... No install spec — this is an instruction-only skill.

Recommendation

Ensure python3 is available before using the skill.