Code Analysis Skills 1.0.6
v1.0.0This skill should be used when the user needs to analyze Git repositories, compare developer commit patterns, work habits, development efficiency, code style...
⭐ 1· 62·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description (developer evaluation, commit patterns, slacking index) match the provided code and docs: analyzers, scanner, reporter modules and CLI exist and depend on standard Git/analysis libraries (PyDriller, GitPython, radon). No environment variables, binaries, or external credentials are requested that would be unrelated to a local repo analysis tool.
Instruction Scope
SKILL.md instructs the agent to analyze a provided repo_path (or scan a directory for .git repos). All instructions are scoped to reading repository history and generating local reports. Important behavioral note: the skill analyses personal developer activity (timestamps, commit patterns) — this is expected for the stated purpose but raises privacy/ethical considerations that the docs acknowledge (obtain consent, keep reports private). I saw no instructions directing data to external endpoints in the reviewed files.
Install Mechanism
No install spec in the skill bundle (instruction-only), but the project contains Python code with pyproject/requirements listing standard PyPI packages (gitpython, pydriller, radon, etc.). This is proportionate to the functionality. As with any package that requires third‑party libs, there is the usual supply‑chain risk from PyPI packages — verify versions and trustworthiness before pip installing in production.
Credentials
The skill declares no required env vars, no credentials, and no config paths. That matches the code: analyzers operate on the repo path and commit history only. There are no obvious requests for unrelated secrets or system-wide configuration access in the inspected files.
Persistence & Privilege
Flags show always: false and normal model invocation. The skill does not request permanent presence or special agent privileges. It appears to be a normal, on-demand analysis tool that runs locally.
Assessment
This skill appears to do what it says: local analysis of Git history and generation of reports. Before installing or running it: 1) Be aware the reports contain personal activity data (timestamps, commit behavior) — obtain informed consent and avoid using outputs for punitive HR decisions. 2) Review and pin third‑party dependencies (pyproject/requirements) and install them in a controlled environment (virtualenv/container) to reduce supply‑chain risk. 3) If you need stronger assurance, inspect the remaining (truncated) source files for any network calls or telemetry (outbound HTTP, sockets, or hardcoded endpoints). 4) For sensitive org code, run the tool on a copy of the repo or in an isolated environment and treat generated reports as confidential.Like a lobster shell, security has layers — review code before you run it.
latestvk97b9p67wy1affk51rf53re3m983kegx
License
MIT-0
Free to use, modify, and redistribute. No attribution required.