Git Log Summary

WarnAudited by ClawScan on May 10, 2026.

Overview

The skill mostly matches its Git-report purpose, but its remote-analysis script uses unsafe shell eval with user-controlled options that could run unintended commands.

Use caution with the remote-analysis script until eval is removed. If you use the skill, pass only simple trusted values for output filenames and commit counts, and review the generated Markdown for private remote URLs or repository details before sharing.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

High

#ASI05: Unexpected Code Execution

What this means

A specially crafted output filename or commit-count value could cause extra shell commands to run as the user when using remote repository analysis.

Why it was flagged

The script reinterprets user-controlled option values through eval instead of passing them as safely quoted arguments, creating a command-injection path.

Skill content

PARAMS="$PARAMS -o \"$OUTPUT_FILE\""
PARAMS="$PARAMS -n $NUM_COMMITS"
eval "\"$SCRIPT_DIR/generate_git_summary.sh\" $PARAMS"

Recommendation

Remove eval, build arguments with a Bash array, quote each argument directly, and validate NUM_COMMITS as an integer.

Low

#ASI03: Identity and Privilege Abuse

What this means

A report intended for sharing may accidentally include private remote URL details or embedded credentials if the repository is configured that way.

Why it was flagged

The report copies Git remote URLs verbatim; if a remote URL contains embedded usernames, tokens, or private repository details, those values would appear in the generated Markdown.

Skill content

git remote -v | while read line; do
            echo "- $line"
        done

Recommendation

Review generated reports before sharing and consider redacting URL userinfo or offering an option to omit remote URLs.

Info

#ASI04: Agentic Supply Chain Vulnerabilities

What this means

Installation or invocation checks may not warn users that local command-line tools are needed.

Why it was flagged

The script depends on external binaries such as git and bc, while the registry requirements declare no required binaries.

Skill content

if ! git rev-parse --git-dir > /dev/null 2>&1; then
...
percentage=$(echo "scale=2; $count * 100 / $total_commits" | bc 2>/dev/null || echo "0.00")

Recommendation

Declare required binaries in metadata, at minimum git and any other commands needed for successful report generation.