Cross-Branch Migration Audit
Security checks across malware telemetry and agentic risk
Overview
The visible artifacts describe a local, read-oriented git migration audit skill; users should mainly be aware that it runs repository inspection commands and may include code-history details in reports.
This appears safe to use as a local git audit helper if you intend the agent to inspect the repository. Confirm the source/target branches and paths, keep generated reports private, and review the full skill text if available because the provided SKILL.md content was truncated.
Publisher note
This skill only uses local git commands (git log, git diff, git show) to analyze repository history. No network access required. No external APIs called.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may inspect local repository files and history in the working directory where it is run.
The skill tells the agent to run local shell/git commands using user-supplied branches, paths, and search terms. This is purpose-aligned and appears read-oriented, but it still requires normal care around command scope and parameter handling.
Before starting the audit, automatically detect the project type ... `ls -la` ... `grep -r "productFlavors" ...`; `git log <start-commit>..origin/<source-branch> --oneline --no-merges -- <module-path-1>`
Run it only in the intended repository, confirm branch/path inputs, and avoid broad or ambiguous paths unless you want them included in the audit.
The skill may fail or behave inconsistently if the expected command-line tools are unavailable.
The registry metadata does not declare required binaries, while the visible instructions rely on local tools such as git, ls, and grep. This is an under-declared dependency note, not evidence of hidden installation or unsafe provenance.
Required binaries (all must exist): none ... No install spec — this is an instruction-only skill.
Ensure git and standard shell utilities are available before use; the publisher should declare these runtime expectations in metadata.
Private source code, commit messages, or architectural details may appear in the audit output.
The skill is designed to ingest and summarize repository history and diffs. That is expected for a migration audit, but the resulting context or HTML report may contain proprietary code details.
It analyzes git history, diff content, and code semantics ... and generate structured audit reports.
Keep generated reports private, avoid sharing them publicly, and run the skill only on repositories whose contents you are comfortable having analyzed by the agent.