Who Is Actor
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This is a coherent read-only Git analysis skill, but it will run local Git/text commands and process repository metadata that may be sensitive.
Before installing, confirm you are comfortable letting the agent run read-only Git commands against the chosen repository. Use dry-run mode, check that commands stay within the documented allowlist, and avoid using the generated developer scores as a sole basis for personnel decisions.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent does not follow the validation and allowlist instructions, commands could run with unintended scope, though the documented workflow is read-only.
The skill instructs the agent to run local shell/Git pipelines using user-supplied parameters. This is central to the repository-analysis purpose, and the artifacts also specify validation, read-only command limits, and dry-run review.
git -C <repo_path> log --author="<author>" --pretty=format:"%aI" | cut -c12-13 | sort | uniq -c | sort -rn
Use dry-run first, confirm every proposed command is read-only and scoped to the intended repository, and reject any write, network, or non-whitelisted command.
Private repository metadata or accidental secrets in commit messages could be exposed to the agent if filtering is not followed carefully.
The skill intentionally processes repository-derived text such as commit messages and filenames. The artifacts acknowledge the sensitivity and describe aggregation/redaction controls before AI analysis.
commit messages and filenames are read locally during data collection and may contain sensitive information — the skill enforces automatic redaction of common secret patterns before any data leaves the local environment.
Run only on repositories you are authorized to analyze, prefer aggregate reports, and verify that raw commit messages and full paths are not included unless explicitly requested and redacted.
A user relying only on the registry summary might not realize the skill expects local command execution with Git and Unix text utilities.
The registry summary does not declare required binaries/capabilities, while skill.yaml lists git, cut, sort, uniq, awk, grep, sed, wc, and head. The behavior is disclosed in the skill files, but the registry metadata is incomplete.
Required binaries (all must exist): none ... Capability signals: No capability tags were derived.
Review the skill.yaml and SKILL.md before installing, and ensure the required local tools are expected in your environment.