Git Commit Helper Pro
ReviewAudited by ClawScan on May 10, 2026.
Overview
Prompt-injection indicators were detected in the submitted artifacts (unicode-control-chars); human review is required before treating this skill as clean.
This appears safe for its stated purpose. Be aware that it runs Git commands locally and reads staged file-change statistics, so use it only in repositories whose staged filenames and change summaries you are comfortable sharing with the agent context. ClawScan detected prompt-injection indicators (unicode-control-chars), so this skill requires review even though the model response was benign.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
When used in a Git repository, file names and change statistics from staged changes may be read into the agent context to generate the message.
The skill executes local Git commands to inspect the current repository's staged changes. The commands are fixed and purpose-aligned, but users should know the agent will run local shell commands when invoked.
execSync('git rev-parse --git-dir', { stdio: 'pipe' }); ... execSync('git diff --cached --stat', { encoding: 'utf8' ... })Use it only in the intended repository, review staged changes first, and inspect the generated commit message before using it.
You have less external context for verifying who maintains the skill or where updates come from.
The artifacts do not provide an upstream source or homepage for provenance verification. The included package has no dependencies or install scripts, so this is a provenance note rather than a behavioral concern.
Source: unknown; Homepage: none
Install only if you trust the registry publisher or have reviewed the included files yourself.