by 安全扫描
OpenClaw
可疑
medium confidenceThe skill generally matches its stated purpose (code labeling, stats, and committing) but contains implementation mismatches that could cause unintended repository modifications (e.g., unconditional git add .) and a small instruction/file inconsistency — review before use.
评估建议
This skill appears to implement the described labeling and statistics features, but review and test before running on important repositories. Key points to consider:
- The commit implementation runs 'git add .' and then commits: this can stage/commit any files (including secrets or unrelated files). Prefer modifying commit.py to only add the analyzed/changed files, or run it in a disposable branch or sandbox first.
- SKILL.md advises not to create Python files but scripts are included; verify wh...详细分析 ▾
ℹ 用途与能力
Name/description match the included code: analyze.py, commit.py, ai_commit.py and analyze_history.py implement the advertised functionality (AI/@human tagging, stats, dialog-driven commit, history parsing). No external credentials or unusual dependencies are requested. However, commit.py uses 'git add .' (stages everything) while analyze.py computes stats only on changed files via 'git diff --name-only' — this mismatch is disproportionate to the stated cautious workflow and could stage/commit files outside the intended scope.
⚠ 指令范围
SKILL.md instructs the agent to run local Python scripts and git commands (git config, git log, git add, git commit). That's expected, but two issues stand out: (1) SKILL.md warns not to create Python source (advocates using 'python -c'), yet Python script files are included in the package — an internal inconsistency; (2) the runtime flow will perform repository-modifying operations (git add . and git commit) which can add/commit unintended or sensitive files if run without review.
✓ 安装机制
No install spec (instruction-only) and included Python scripts; nothing is downloaded or installed from external sources.
✓ 凭证需求
No environment variables or external credentials are requested. The scripts only read local git config and repository state, which aligns with the declared purpose.
ℹ 持久化与权限
The skill is not always-enabled and does not request elevated platform privileges. It does perform local side effects (git add ., git commit) which alter the repository — appropriate for a commit-helper but should be highlighted as a destructive action that runs on the user's repo.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.12026/4/21
ai-code-stat-skill v1.0.1 - 新增分析与提交主脚本:ai_commit.py,支持对话式收集提交信息并自动化处理统计与提交流程 - 新增核心功能脚本:analyze.py 进行代码行数/AI占比统计,commit.py 实现规范提交消息生成 - 增加历史分析脚本 analyze_history.py,支持按提交人、版本、类型、趋势等多维度分析 - 建立 SKILL-V1.md,补充实现细节与沙箱执行规范 - 文档(SKILL.md)同步补充 Python 实现约定,完善提交及统计流程描述
● Pending
安装命令
点击复制官方npx clawhub@latest install ai-code-stat-skill
镜像加速npx clawhub@latest install ai-code-stat-skill --registry https://cn.longxiaskill.com镜像同步中