ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

每天工作结束后,一键生成当日所有 Git 仓库的提交日报,支持多仓库扫描

v1.0.0

今日 Git 提交日报助手 —— 自动扫描当天(含次日凌晨6点前)所有仓库的 commit 记录,生成结构化日报。

0· 17·0 current·0 all-time
by@kenneychen
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill's name/description align with its behavior (scanning local .git folders and summarizing commits). However, the runtime script invokes the external 'git' command repeatedly but the skill metadata declares no required binary; the absence of a declared dependency on git is an inconsistency that could lead to runtime errors or surprise behavior if git isn't present.
Instruction Scope
SKILL.md instructs the agent to run scripts/gitpulse.py which recursively scans the filesystem under a root path (default cwd or user-supplied) up to 3 levels for .git directories, reads git logs and git config. This is coherent with the stated purpose, but it does entail broad local filesystem access within the chosen root and reads the user's git config (global) to determine the current user for filtering commits.
Install Mechanism
No install spec is provided (instruction-only with included script files). That lowers install risk because nothing is downloaded or written during installation. The presence of a local Python script is expected for an instruction-only skill.
Credentials
The skill requests no environment variables or external credentials, which matches its purpose. It does read git config (including --global) to get the git user.name — reasonable for filtering commits but worth noting because it accesses the user's global git configuration file (~/.gitconfig) implicitly.
Persistence & Privilege
The skill is not forced-always and is user-invocable. It does not request persistent elevated privileges, nor does it modify other skills or system-wide agent settings in the provided materials.
What to consider before installing
This skill appears to be what it claims (a local Git commit summarizer), but take these precautions before enabling it: 1) Confirm you have the git binary available on the agent host — the script calls 'git' but the skill metadata does not declare that dependency. 2) Be aware it will recursively scan directories under the chosen --root (default: current working directory) up to 3 levels and read your git config (including global user.name) to filter commits — run it on a safe directory if you want to test. 3) Review the full scripts/gitpulse.py for any unexpected subprocess or network calls (the visible code only calls 'git'). 4) If you want stricter behavior, run the script manually from a shell first and inspect its JSON output (use --format json) before letting the agent invoke it automatically. If you need higher assurance, ask the author to declare 'git' as a required binary in the metadata and provide the full, untruncated script for a complete review.

Like a lobster shell, security has layers — review code before you run it.

latestvk979qr349h55p3cqd1m7p7sgx984jyam

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments