git trace code
ReviewAudited by ClawScan on May 11, 2026.
Overview
Prompt-injection indicators were detected in the submitted artifacts (unicode-control-chars); human review is required before treating this skill as clean.
This skill looks safe for its stated read-only Git tracing purpose. Before installing, confirm you are comfortable with a bash script running git log in your repository and with selected commit history or diffs appearing in the agent output. ClawScan detected prompt-injection indicators (unicode-control-chars), so this skill requires review even though the model response was benign.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the skill may display private code changes, commit messages, author names, and historical diffs from the chosen repository.
The skill invokes local git commands through bash to read commit timelines and diffs. This is central to the stated Git tracing purpose and uses parameter validation/arrays, but users should understand that repository history and code diffs may be emitted.
git log --pretty=format:"| `%h` | %ad | %an | %s |" ... "${LOG_ARGS[@]}" "$BRANCH" ...
git log -p "${LOG_ARGS[@]}" "$BRANCH"Use it only in repositories where you are comfortable having the selected history and diff shown in the agent conversation or copied into reports.
A user relying only on the registry summary might not realize the skill needs local git/bash execution.
The included skill definition declares required binaries and an executable bash script, while the registry summary says there are no required binaries and no install spec. Because the script is present, simple, and purpose-aligned, this is a metadata consistency note rather than hidden behavior.
required_binaries: - git - bash script: |
Review the YAML before installing and ensure git and bash execution are acceptable in the intended environment.