git-weekly
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This instruction-only skill is aligned with generating a weekly Git report; the main thing to notice is that it reads recent local Git patch details into the agent context.
This skill appears safe to use for its intended purpose. Before using it, make sure the current working directory is the repository you want summarized, and avoid sharing the generated report if recent commits may contain secrets or proprietary code.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
When invoked, the agent may read recent code diffs from the current repository.
This instructs the agent to run a local Git CLI command and ingest patch output. The command is read-only and scoped to recent commits by the configured author, so it is aligned with the skill purpose, but local tool execution should be visible to users.
自动执行 `git log --since="7 days ago" --author="$(git config user.name)" --reverse --patch`
Use it only in the repository you intend to summarize, and consider asking for confirmation before running it on sensitive codebases.
Generated reports may include proprietary implementation details or be influenced by text present in recent commits.
The skill uses retrieved code diffs as agent context. This is necessary for the report, but code comments or diffs could contain sensitive details or instructions that should be treated as data rather than authoritative commands.
请基于检索到的代码差异(Diff),尝试回答并总结以下内容
Review the report before sharing it, and treat code/diff text as untrusted input for summarization only.
Users may not realize the skill expects Git to be available and to run in a Git repository.
The registry metadata does not declare any required binaries even though the documented workflow depends on running git. This is an under-declared dependency, not evidence of hidden code or unsafe installation.
Required binaries (all must exist): none; Required binaries (at least one): none
Document git as a required binary and clarify that the command runs in the current repository.