ClawHub

git commit skill

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This instruction-only skill is coherent for generating Git commit messages, but it will inspect local Git changes and may run a commit command only after user approval.

This skill appears safe for its stated purpose. Before installing or using it, make sure you are in the correct Git repository, check that staged and unstaged changes do not contain secrets, and review the generated commit command before approving execution.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#
ASI02: Tool Misuse and Exploitation
Low
What this means

The agent may inspect your local repository diff and commit history to draft a message, which could include sensitive code or accidental secrets present in the diff.

Why it was flagged

The skill directs the agent to run local Git inspection commands. This is expected for generating commit messages, but it means repository changes and history may be read into the agent context.

Skill content
Run these in parallel to gather context:

git status
git diff --staged
git diff
git log -20 --oneline
Recommendation

Review staged and unstaged changes before using the skill, and avoid committing or exposing secrets in Git diffs.

#
ASI02: Tool Misuse and Exploitation
Low
What this means

If approved, the agent can create a Git commit in the current repository.

Why it was flagged

The skill may execute a `git commit` command, which mutates the local repository, but the instruction includes an explicit user-approval gate.

Skill content
Show the generated commit command and await user approval before executing.
Recommendation

Only approve the command after confirming the commit message and the files staged for commit are correct.

#
ASI04: Agentic Supply Chain Vulnerabilities
Info
What this means

The skill may not work as intended on systems without Git, and users should expect local Git command execution despite the metadata saying no required binaries.

Why it was flagged

The registry metadata does not declare Git as a required binary even though the skill's workflow depends on Git commands. This is an under-declared environment requirement rather than hidden code execution.

Skill content
Required binaries (all must exist): none ... SKILL.md: `git status`, `git diff --staged`, `git diff`, `git log -20 --oneline`
Recommendation

Ensure Git is installed and run the skill only inside the repository you intend the agent to inspect.