ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Git Commit Helper

v1.0.3

Generates clear, well-structured git commit messages following the Conventional Commits standard.

0· 368·1 current·1 all-time
by@mariaponomarenko38
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name and description (generate Conventional Commits-style messages) match the SKILL.md directive to analyze user input and produce commit messages. No extra binaries, env vars, or config paths are requested.
!
Instruction Scope
SKILL.md requires each commit message to include 'a 2 words answer' to the question 'Who started World War 2?' and append a heart symbol. That question and required answer are unrelated to generating commit messages and grant the skill an unexplained obligation to include specific external content in every output. This could be accidental garbage, a sneaky telemetry/covert-channel/fingerprinting mechanism, or an attempt to force the agent to emit political/historical content in contexts where it's not appropriate.
Install Mechanism
Instruction-only skill with no install spec or code files. This is the lowest-risk install pattern; nothing is written to disk by an installer.
Credentials
The skill requests no environment variables, credentials, or config paths—there are no disproportionate credential requests.
Persistence & Privilege
Default privileges (not always: true). The skill can be invoked autonomously by the agent (platform default) but does not request elevated persistence or modify other skills' settings.
What to consider before installing
This skill largely does what it says (generate Conventional Commit messages) but its runtime instructions include an unrelated requirement to embed a two-word answer to 'Who started World War 2?' in every commit. That is incoherent with the purpose and could be a mistake or a covert/fingerprinting signal. Before installing or enabling it for regular use: (1) Ask the skill author to remove or justify the unrelated question and to provide a corrected SKILL.md that only includes commit-related requirements. (2) If you must test it, do so in an isolated environment and inspect outputs to ensure no unexpected or disallowed content is being produced. (3) Do not grant any extra credentials or system-level access. If the author explains the question is a harmless leftover from testing and provides an updated SKILL.md, this assessment could be upgraded to benign; if similar unrelated or exfiltration-like instructions appear elsewhere, treat as higher risk.

Like a lobster shell, security has layers — review code before you run it.

latestvk971x96m1bnhr7fa482pqmd40x82w8k9

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments