Skillv1.0.0

ClawScan security

Working Tree Governor · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 16, 2026, 3:16 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's instructions match its stated purpose (selective git staging/governance); it's instruction-only, asks for no credentials, and has no install footprint — but the metadata omits declaring that it requires the git binary and the heuristics contain project-specific patterns you should review before use.
Guidance: This skill appears to do what it says: help you selectively stage and commit while avoiding runtime noise. Before installing, do the following: - Confirm git is available on the agent host (SKILL.md runs git but metadata does not declare it). Add 'git' to the required binaries if you manage the registry entry. - Review and adapt the pattern lists and heuristics to your repository (the examples mention project-specific paths like 'hermes' and 'shared/*'); otherwise the skill may misclassify important files. - Keep the operator-approval gate enforced; test the skill in a disposable repository first to observe behavior. Ensure the agent cannot auto-commit or run without your interactive approval if you require stricter control. - Because this is instruction-only, it will execute the git commands shown — ensure the agent's runtime user has appropriate repository access but not elevated system privileges. - If you want stricter safety, restrict autonomous invocation of this skill at the platform/policy level, or require an explicit manual confirmation step before any git add/commit is executed.

Review Dimensions

Purpose & Capability: noteThe name/description align with the runtime instructions (selective staging, verification, operator gate). Small incoherence: registry metadata lists no required binaries, but SKILL.md invokes git extensively — the metadata should declare 'git' as a required binary.
Instruction Scope: okSKILL.md stays within the stated purpose: read-only discovery commands, classification heuristics, selective git add/diff/cached checks, and an explicit operator-approval gate. It does not request unrelated files, credentials, or external network calls.
Install Mechanism: okNo install spec and no code files — lowest-risk delivery. Nothing is downloaded or written by the skill itself.
Credentials: okThe skill declares no environment variables or credentials and the instructions do not access secrets. Heuristics reference repo paths (e.g., 'hermes' paths) that are project-specific but not sensitive by themselves.
Persistence & Privilege: okalways:false and user-invocable:true are appropriate. The flow requires operator approval for ambiguous/large commits, reducing autonomous-risk. Note: platform-level autonomous invocation is allowed by default (not a fault of this skill) — couple that with a misconfigured agent and there is residual risk.