Code Analysis Skills
v1.0.6This skill should be used when the user needs to analyze Git repositories, compare developer commit patterns, work habits, development efficiency, code style...
⭐ 3· 9.1k·3 current·3 all-time
byenoyao@wscats
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
The name/description (analyzing Git repos and developer behaviors) aligns with the included code (scanners, analyzers, reporters). Required resources are minimal (no env vars, no required binaries). The declared dependencies (gitpython, pydriller, radon, jinja2, etc.) are appropriate for the stated functionality.
Instruction Scope
SKILL.md instructs the agent to analyze a provided repo_path and produce local reports; it explicitly states the tool runs locally and extracts personal activity metrics from git history (timestamps, frequencies, work patterns). That scope is expected, but the skill will process sensitive personal data (developer activity) — this is intentional but privacy-sensitive and needs informed consent before use.
Install Mechanism
There is no install spec in the skill metadata (instruction-only for the agent). The repository includes Python code and a requirements.txt/pyproject specifying dependencies; installing those packages (pip) is necessary to run the tool. No remote arbitrary binary downloads or URL-based installers were declared in the manifest.
Credentials
The skill declares no environment variables, no credentials, and no config paths. The code reviewed does not require external secrets to perform its stated analyses.
Persistence & Privilege
always: false and the default model-invocation setting is used. The skill does not request permanent global presence or elevated platform privileges. Autonomous invocation is allowed but that is the platform default; nothing in the files indicates it modifies other skills or global agent settings.
Assessment
This skill appears coherent for local analysis of Git repositories and developer activity. Before installing or running it, consider: 1) Privacy: reports contain personal activity data — obtain informed consent from analyzed developers and avoid using outputs for punitive HR decisions. 2) Verify no exfiltration: scan the repository for network/activity calls (look for imports/usage of requests, urllib, socket, ftplib, smtplib, http.client, subprocess with curl/wget, or direct URLs) — the portion reviewed shows no obvious external transmission, but a few files were truncated in the listing. 3) Review reporters and templates: HTML/PDF reporters can embed external assets (CDN links) or render remote images — ensure they only produce local output. 4) Dependency safety: the tool requires third-party packages; pin and audit versions before pip install and consider installing in an isolated environment (venv/container). 5) Run tests and a quick local dry-run on a disposable repo to confirm behavior. If you want higher assurance, provide the remaining files or request a focused scan for network/execution patterns and any subprocess calls.Like a lobster shell, security has layers — review code before you run it.
latestvk97d8pspq4btsk5awdzdw95j0182xmk2
License
MIT-0
Free to use, modify, and redistribute. No attribution required.