ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Contextual Git-Committer

v1.0.0

AI-powered Git assistant that analyzes staged changes and terminal history to craft meaningful, conventional commit messages.

1· 44·0 current·0 all-time
byPeter Lum@liverock
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
Name/description match the implementation: the code gathers staged diffs, recent commits, changed files, parses diff hunks, and reads terminal history to produce context for commit message suggestions. Reading terminal history is explicitly described in SKILL.md, but it is a potentially disproportionate source of context (it can contain sensitive commands or secrets) relative to the stated goal of crafting commit messages.
!
Instruction Scope
SKILL.md instructs the tool to read ~/.bash_history and ~/.zsh_history and the handler implements this. That behavior is visible and intentional, but it expands the scope beyond purely repository-local data: terminal history can include sensitive content (commands containing tokens, passwords, or other secrets). The instructions and handler also cause the full staged diff to be emitted (possibly including secrets), which will be provided to whatever LLM the agent uses—this is a privacy/exfiltration risk even if no network code is present in the skill itself.
Install Mechanism
No install spec or external downloads; the skill is instruction-only plus a small local Python handler. No remote installers or archive extraction are used.
Credentials
The skill requests no environment variables, credentials, or config paths beyond reading common shell history files (explicitly documented). There are no unrelated or excessive env/credential demands.
Persistence & Privilege
always is false and the skill does not request persistent/always-on privileges or modify other skills or system configs. It runs only when invoked.
What to consider before installing
This skill does what it says: it reads staged git diffs, recent commits, and your shell history to build context for commit messages. The main risk is privacy: your shell history and staged diffs can contain secrets (API keys, passwords, tokens, or sensitive commands). If you run this skill, be aware the collected context will be printed and then provided to the agent/LLM that generates messages. Before installing or invoking it: - Review handler.py (included) and confirm you are comfortable with it reading ~/.bash_history and ~/.zsh_history. - Avoid running it in environments where your shell history contains sensitive commands, or clear/trim those history files first. - Consider modifying the handler to skip terminal history or to filter/sanitize history entries (or to limit to certain safe commands). - Be cautious about staged diffs that may include secrets—inspect diffs before staging or use git-secrets/tools to pre-scan. If you need minimal exposure, prefer a version that only reads the staged diff and recent commits (no shell history), or run the tool locally with an LLM that does not send data to an external service. If you want me to, I can suggest a safe modification to handler.py to disable or sanitize history reading.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dtrjnb0y0j4ayxetpg79q8s84shnz
44downloads
1stars
1versions
Updated 6d ago
v1.0.0
MIT-0
Peter Lum@liverock
latest
Download

Contextual Git-Committer

An AI-powered Git assistant that writes descriptive, high-quality commit messages by analyzing your local workspace context.

How It Works

  1. Gathers staged changes via git diff --cached to see exactly what you're about to commit.
  2. Correlates terminal history by reading recent shell commands to understand why changes were made (e.g., did you just run npm install? pytest?).
  3. Checks recent commits via git log to maintain consistency with your project's existing style.
  4. Parses diff hunks to identify which functions, classes, or sections were modified.

AI Prompt Instructions

When the suggest_commit tool returns its output, use the gathered context to generate exactly 3 commit message options:

Option 1: Conventional Commit

A short, standards-compliant message using the Conventional Commits format:

  • Prefix with the correct type: feat:, fix:, refactor:, docs:, test:, chore:, style:, perf:, build:, or ci:
  • Include the scope if provided
  • Keep the subject line under 72 characters
  • Example: fix(auth): resolve null pointer when session expires

Option 2: Story / Detailed

A narrative-style message that explains what the change achieves in plain English:

  • Focus on the "why" and the outcome, not just the mechanics
  • 1-2 sentences
  • Example: "Updated the header logic to prevent crashes when a user is logged out, which was causing intermittent 500 errors on the dashboard."

Option 3: Emoji Style

A casual, emoji-prefixed message for less formal projects:

  • Use relevant emojis to convey the type of change
  • Keep it concise and fun
  • Example: "🐛 Fixed header crash on logout | 🛡️ Added null checks for session object"

Output Format

Present the three options as a numbered list:

📝 Suggested Commit Messages:

1. **Conventional:**
   `fix(auth): resolve null pointer when session expires`

2. **Story:**
   Updated the header logic to prevent crashes when a user is logged out, which was causing intermittent 500 errors on the dashboard.

3. **Emoji:**
   🐛 Fixed header crash on logout | 🛡️ Added null checks for session object

If no staged changes are found, inform the user and suggest running git add to stage their changes first.

Usage Examples

  • /suggest_commit — Analyze staged changes and suggest 3 messages
  • /suggest_commit --style detailed — Provide more verbose explanations
  • /suggest_commit --scope api — Focus the message on the API module
  • /suggest_commit --style detailed --scope auth — Detailed messages scoped to auth

Comments

Loading comments...