GitAssist AI-Powered Git Workflow Helper
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This appears to be a purpose-aligned git helper that runs local read-only git commands, but users should notice that it reads repository diffs and its install/runtime requirements are under-declared.
Before installing, confirm how the CLI is meant to be run, review the included JavaScript if provenance matters to you, and use it only on repositories where staged diffs and commit history are safe to analyze.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill can run git commands in the current repository to read staged changes, branch diffs, and commit logs.
The skill runs local shell commands through Node child_process to inspect git state. The commands shown are read-only and central to the skill's purpose, but local command execution is still worth noting.
_cp['execSync']('git diff --cached --stat', { cwd: this.cwd, encoding: 'utf8' });Use it only in repositories where you are comfortable having staged changes and commit history analyzed for message generation.
Users may not have clear provenance or setup expectations for the CLI-style code included with the skill.
The package includes src/git-assist.js and documents a git-assist CLI, but the registry does not declare an install mechanism, source provenance, or the git/Node runtime requirements.
Source: unknown; Homepage: none; No install spec — this is an instruction-only skill; Required binaries ... none
Review the included source before use and verify how the git-assist command is installed or invoked in your environment.
Sensitive code or accidentally staged secrets could be included in generated summaries or model context.
The skill's core workflow involves placing repository diffs into analysis context. This is expected for commit/PR generation and the artifacts claim no external API calls, but diffs can contain sensitive source code or secrets.
Reads your staged diff (or branch diff for PRs) ... No external API calls. Uses your local or configured AI model.
Check staged diffs before using the skill, and avoid using it with confidential changes unless your configured model and local environment are approved for that data.