Sovereign git-commit-analyzer
PassAudited by ClawScan on May 1, 2026.
Overview
The skill is coherently designed to analyze local Git history, with the main things to notice being local Bash/git execution and reports that may contain contributor emails, commit subjects, and file paths.
This appears safe for its stated purpose if you are comfortable letting it analyze the current Git repository. Verify the source before installing, run it only in repositories you intend to analyze, and review generated reports before saving or sharing them.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If run in the wrong repository or with broad options, it can summarize more commit history than intended.
The script runs local git commands using user-selected branch, date, and author filters. This is central to the stated purpose, but it means the skill can inspect repository history in the directory where it is run.
COMMITS_RAW=$(git log "$BRANCH" "${DATE_ARGS[@]}" "${AUTHOR_ARGS[@]}" --pretty=format:"%H|%an|%ae|%aI|%s" ...)Run it only in the intended repository and use options such as --days, --since, --branch, and --author to limit the scope.
Generated reports may reveal internal contributor identities, project structure, and commit details if shared outside the intended audience.
The documented report includes contributor email addresses and changed file paths, which may be sensitive in private or corporate repositories even though this is expected for commit analytics.
Top Contributors ... alice@corp.com ... File Change Heatmap ... config/settings.yaml
Treat reports as project-internal unless reviewed and sanitized, especially before saving them with --output-file or sharing them externally.
A user has less registry-level provenance information to rely on before trusting the local script.
The registry metadata does not provide a clear source or install provenance, while the package includes an executable script. This is not suspicious by itself, but users should verify they are installing the intended artifact.
Source: unknown; Homepage: none; No install spec — this is an instruction-only skill.
Install from a trusted registry entry or verified repository, and review the script before granting it use in sensitive repositories.