Code Analysis Skills
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This appears to be a purpose-aligned local Git repository analysis skill, with the main user considerations being developer privacy, broad repository scanning, and standard Python dependency hygiene.
This skill looks coherent for local Git analysis. Before installing or using it, confirm you have permission to analyze the repositories and developers involved, use narrow repo paths, keep generated reports private, avoid relying on slacking or score outputs for formal HR decisions, and install the Python dependencies in an isolated environment.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If pointed at a broad directory, the skill may analyze more repositories and developer histories than intended.
The skill can read and analyze multiple local repositories when given a parent directory and recursive scanning is enabled. This is expected for the stated purpose, but users should scope the path carefully.
Path to a specific Git repository, or a parent directory to scan for all .git repositories... If true, recursively scan the repo_path directory for all .git repositories.
Provide an explicit repository path when possible, and only use recursive scanning on directories you intentionally want analyzed.
Reports may reveal identifiable developer activity patterns and could affect workplace trust or personnel decisions if mishandled.
The generated reports summarize personal work-pattern data and could be stored, shared, or over-trusted outside their original context.
This tool extracts personal developer activity data from Git commit history, including timestamps, frequencies, and behavioral patterns... Generated reports contain personal information
Get consent before analyzing others, store reports securely, avoid public sharing, and do not use the scores as the sole basis for HR or disciplinary decisions.
Installing dependencies may fetch newer package versions than the author tested.
The skill relies on standard Python packages with lower-bound version constraints rather than exact pins. This is common and purpose-aligned, but it means future dependency versions may be pulled during installation.
gitpython>=3.1.40 radon>=6.0.1 pylint>=3.0.0 pydriller>=2.6 jinja2>=3.1.2 click>=8.1.7 reportlab>=4.0
Install in a virtual environment and consider pinning or locking dependency versions for repeatable use.