by 安全扫描
OpenClaw
可疑
medium confidenceNULL
评估建议
This skill appears to implement the advertised commit-message generator and only invokes git commands (execSync) to read staged diffs — that's expected. However: 1) Inspect SKILL.md for invisible/control characters and remove them; they are a common prompt-injection vector. 2) Review index.js locally: execSync is used but only with hard-coded git commands ('git rev-parse' and 'git diff --cached --stat'), which is reasonable; ensure you run it in a trusted repository and not in a directory contai...详细分析 ▾
✓ 用途与能力
Name, description, SKILL.md, and index.js are coherent: the code runs git commands, parses git diff --cached --stat, and builds Conventional Commit-style messages. No unrelated environment variables, binaries, or installs are requested.
ℹ 指令范围
SKILL.md instructs the agent to analyze staged changes and generate commit messages — this is within scope. However, a static scan flagged unicode-control-chars in SKILL.md (prompt-injection pattern). While the visible SKILL.md content is benign, invisible control characters can be used to manipulate downstream parsers or agent behavior; manual inspection/removal is recommended.
✓ 安装机制
No install spec; the skill is instruction/code-only. package.json has no dependencies and included files are local. This is low-risk from an installation perspective.
✓ 凭证需求
The skill requests no environment variables, no credentials, and no config paths. It only needs access to a git repository working directory, which matches its purpose.
✓ 持久化与权限
always is false; skill does not request persistent or system-wide privileges and does not modify other skills. It can run autonomously (platform default), but that is not combined with broad credential access.
⚠ index.js:73
Shell command execution detected (child_process).
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/3/18
NULL
● 无害
安装命令
点击复制官方npx clawhub@latest install git-commit-helper-pro
镜像加速npx clawhub@latest install git-commit-helper-pro --registry https://cn.longxiaskill.com镜像同步中