Skylv Code Diff Tool
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
The skill mostly behaves like a diff viewer, but its Git mode builds a shell command from user-supplied arguments, which can allow unintended local command execution.
Use the basic file and directory diff features only on files you intend to inspect. Be careful with the Git mode: until the shell execution is fixed, avoid passing untrusted repository paths or arguments, and do not let the agent invent Git arguments automatically.
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malicious or mistaken Git argument could execute local commands with the user's permissions when the Git mode is used.
The Git command is built as a shell string using interpolated arguments. In a user-invocable agent skill, this can let crafted or poorly validated arguments run unintended shell commands instead of only producing a diff.
const out = execSync(`git ${args}`, { cwd: dir, encoding: 'utf8', timeout: 10000 });Do not use the Git mode on untrusted input until it is changed to call git with an argument array, whitelist only safe diff-related options, and reject shell metacharacters.