Skillv1.0.0

ClawScan security

Sovereign git-commit-analyzer · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignFeb 22, 2026, 12:39 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code and instructions match its stated purpose (analyzing git history); it runs local git commands, declares reasonable requirements, and shows no signs of hidden network exfiltration or unrelated access.
Guidance: This skill is coherent and implements a local git-history analyzer. Before installing: (1) review scripts/analyze.sh yourself (it will execute git commands in the repository) and only run it in repositories you trust, (2) be aware it reads full commit metadata and file histories (no network calls were found), (3) verify the publisher/source if provenance matters — registry metadata was inconsistent (registry listed no homepage/source while skill.json contains homepage/repository URLs), and (4) run the script manually first (./scripts/analyze.sh ...) to confirm behavior in a controlled environment. If you need higher assurance, request a signed upstream release or confirm the repository URL in skill.json matches a trusted source.

Review Dimensions

Purpose & Capability: okThe name/description describe commit-history analysis and the code (scripts/analyze.sh) implements exactly that: it runs git log and local text processing to compute commit frequency, contributors, heatmaps, and message quality. Required tools (git, bash, common Unix utilities) are appropriate for the stated purpose.
Instruction Scope: okRuntime instructions and the script operate on the local repository via git commands and environment overrides (GCA_*). The script reads commit metadata and file histories only; it does not reference unrelated filesystem paths, external endpoints, or undeclared environment secrets. It will process the repository history in full (expected for this tool).
Install Mechanism: okThere is no network install spec; this is instruction-only with a bundled script. Nothing is downloaded or written automatically by an installer. Installation guidance is manual (copying into ~/.openclaw/skills and making the script executable), which is low risk.
Credentials: okNo credentials or sensitive environment variables are required. Optional env vars (GCA_*) are configuration-only. The skill.json lists the expected tools; SKILL.md also documents additional common Unix utilities (awk, sort, uniq, wc) which are reasonable and proportionate.
Persistence & Privilege: okThe skill does not request always:true and does not modify other skills or global configuration. It can be invoked by the agent (default behavior), which is expected for a user-invocable analysis tool and not concerning on its own.