Shadows Smart Commit
PassAudited by ClawScan on May 1, 2026.
Overview
This is a coherent local Git commit helper that discloses its diff inspection and local git add/commit actions, with no evidence of hidden network, credential, install, or persistence behavior.
This skill appears safe for its intended use as a local Git commit helper. Before installing, be comfortable with it reading repository diffs and creating local commits, and review the files and commit message it proposes before proceeding.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
It can change your local repository by staging files and creating a commit.
The skill can stage files and create commits, which changes repository state. This is clearly disclosed and directly aligned with the stated commit-assistant purpose.
Phase 3 (`git add`) and Phase 4 (`git commit`) modify git state. These are local operations — no data is pushed to any remote unless the user explicitly requests `git push` afterward.
Review the proposed file list and commit message before allowing git add or git commit, and handle any push as a separate explicit action.
If a staged change contains a real secret, the scan may print part of it in the agent or terminal output.
The skill reads staged diff content and may surface secret-like lines while scanning. This is bounded to the repository diff and explicitly disclosed, but users should avoid exposing that output.
Phase 2 may display matched secret-like patterns in terminal output. Run in a secure terminal where output is not forwarded to shared logging systems.
Use this in a private workspace, review staged changes carefully, and use a dedicated scanner such as gitleaks or trufflehog for high-security repositories.