Who Is Actor
v1.0.10This skill should be used when the user wants to analyze a Git repository and profile each developer's commit habits, work habits, development efficiency, co...
⭐ 3· 8.5k·1 current·1 all-time
byenoyao@wscats
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
The skill claims to analyze Git repositories and requests only the exact standard binaries needed (git, cut, sort, uniq, awk, grep, sed, wc, head). No environment variables, network access, or unrelated dependencies are requested — this is proportionate to the stated purpose.
Instruction Scope
SKILL.md instructs the agent to run only read-only git subcommands and to locally aggregate/parse commit metadata (timestamps, counts, numstat, message length) — these actions are necessary for the described profiling. The skill also states strong input validation, a dry-run mode, and local redaction of sensitive patterns before sending data to the AI. However, these are procedural requirements the agent must implement; the skill itself contains no code or enforcement hooks, so you must verify the agent actually follows the protocol (dry‑run, command whitelist, and redaction) before using it on sensitive repos.
Install Mechanism
Instruction-only skill with no install spec and no code files — lowest install risk. It relies on common system binaries only (declared in skill.yaml), which is consistent and expected.
Credentials
No environment variables, credentials, or config paths are requested. The skill does read local repository data (commit metadata, file names, messages) which is appropriate for repository profiling and is clearly declared.
Persistence & Privilege
The skill is not always-enabled and does not request persistent privileges or modify other skills. It can be invoked autonomously by the agent (platform default) — because the skill deals with potentially sensitive local data, ensure the agent's autonomy and invocation policies align with your risk tolerance and that dry-run/consent prompts are enforced.
Assessment
This skill is internally coherent and only asks for standard git/text tools, but it is instruction-only and relies on the agent to enforce its safety rules. Before using on a sensitive repo: 1) run the recommended dry-run and inspect every proposed command; 2) test the validation checks by supplying deliberately malformed inputs (dangerous characters, emails, invalid dates) to confirm they are rejected; 3) confirm that only aggregated metrics (not raw commit messages or full file paths) are sent to the remote AI model and that redaction patterns are applied; 4) prefer running first on a non-sensitive/test repo and review logs/audit trail of commands executed. If you cannot confirm the agent enforces the whitelist and redaction, treat repository data as potentially exposed and do not run on private or regulated codebases.Like a lobster shell, security has layers — review code before you run it.
latestvk970htyfbxgpqfqhr40d3hrahd82xw6y
License
MIT-0
Free to use, modify, and redistribute. No attribution required.