Back to skill
Skillv1.1.0
ClawScan security
Git Commit Helper · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 16, 2026, 6:49 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is an instruction-only helper that produces Conventional Commit–style commit messages and PR descriptions; its declared requirements and instructions are consistent with that purpose and it does not request extra credentials or install software.
- Guidance
- This skill is instruction-only and appears coherent with its stated purpose. Before installing: (1) confirm how your agent will provide repository context (diffs/staged changes) to the skill — the SKILL.md is high-level and expects that context to come from the agent or user; (2) do not grant repository credentials unless you trust the agent runtime that will supply diffs, since the skill itself does not request credentials but the agent may need them to access private repos; (3) review generated commit messages/PR text for accuracy and sensitive data leakage before publishing (automated generation can inadvertently include secrets or internal identifiers). If you require the skill to operate fully automatically, verify the agent's mechanism for reading the repo and storing any tokens it uses.
Review Dimensions
- Purpose & Capability
- okName/description (generate Conventional Commit messages and PR descriptions) matches the content of SKILL.md. No unexpected binaries, environment variables, or config paths are required.
- Instruction Scope
- noteSKILL.md contains templates, examples, and user prompts for generating commits/PR text but is high-level and does not specify concrete commands to read the repository or diffs. This is appropriate for an instruction-only skill, but implementers/agents will need to supply repository context (diffs, staged changes, or file contents) externally.
- Install Mechanism
- okNo install spec and no code files — lowest risk. Nothing is downloaded or written to disk by the skill as provided.
- Credentials
- okThe skill does not declare any environment variables, credentials, or config paths. That is proportionate for a commit-message generator.
- Persistence & Privilege
- okalways:false and default autonomous invocation are unchanged. The skill does not request persistent system privileges or modify other skills' configs.