Conventional Git
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This appears to be a benign Git convention helper, but it can guide Git/GitHub actions and issue-closing commit messages, so users should review commands and references before use.
This skill is reasonable for enforcing Git branch and commit conventions. Before installing, make sure you are comfortable with an agent receiving broad git/gh command capability, verify any issue-closing references before merge, and confirm whether the no-AI-attribution rule matches your team policy.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent uses these tools, it could modify local repository state and potentially interact with GitHub through the CLI.
The skill grants the agent broad git and GitHub CLI command access. This is related to the Git workflow purpose, but users should notice that the namespace is not limited to only harmless formatting commands.
allowed-tools: Read Edit Write Glob Grep Bash(git:*) Bash(gh:*)
Allow Git/GitHub commands only when they are needed for the task, and review high-impact commands such as push, merge, branch deletion, release, issue, or PR mutations before approving them.
Authenticated gh commands could affect GitHub issues, pull requests, repositories, or releases depending on the user's local login and permissions.
The GitHub CLI commonly operates using the user's existing GitHub authentication. The artifacts do not show token collection or storage, but the tool allowance could still act under the user's account if invoked.
Bash(gh:*)
Use this skill with explicit approval for authenticated GitHub operations, or restrict gh access if the skill is only needed for naming and commit-message guidance.
A wrong issue reference or closing keyword could close the wrong GitHub/GitLab issue when merged.
The skill explicitly teaches commit-message footers that can trigger downstream issue-tracker changes after merge.
Both GitHub and GitLab detect keywords in commit messages and automatically close the referenced issue when the commit lands on the default branch.
Before committing or merging, verify issue numbers, cross-repo references, and closing keywords.
Commit history may not show that an AI agent helped produce the change.
The skill explicitly instructs omission of AI-agent attribution from commit messages. This may be consistent with some commit-style policies, but it can conflict with teams that require AI contribution disclosure.
NEVER add a Claude signature, AI agent attribution, or `Co-authored-by` trailer for Claude or any other AI agent to commits
Follow your project's disclosure policy; override this rule if your team requires AI attribution or co-author trailers.