by 安全扫描
OpenClaw
可疑
medium confidenceNULL
评估建议
This skill appears to implement a helpful commit workflow but has practical risks. Before installing or enabling it: 1) Require explicit user confirmation before any git pull/rebase or push — do not allow automatic network operations on casual mentions. 2) Remove or make optional the automatic 'git add -A' and instead present a staged-file selection to the user; ensure it never stages known secret files by default. 3) Make the inclusion of AI-model or vendor info in commit footers optional and c...详细分析 ▾
ℹ 用途与能力
The name/description match the git commands and flow in SKILL.md (fetch, rebase, diff, amend/new commit, generate conventional commits). However, the SKILL.md prescribes embedding agent/model info into commit footers and instructs the skill to 'TRIGGER' on any mention of committing — this aggressive trigger behavior is not reflected in the registry metadata (always:false) and feels disproportionate to a simple commit helper.
⚠ 指令范围
Instructions include running repository-wide commands (git fetch/pull/rebase, git add -A, git push) and rely on the agent's 'judgment' to stage changes while also telling it to avoid secrets. This is ambiguous and grants broad discretion: a blanket git add -A can stage secrets accidentally; automatic rebase/pull and push behavior can expose private data or rewrite history without an explicit, enforced confirmation step. The SKILL.md's required trigger behavior ('TRIGGER this skill whenever the user mentions committing') is overly broad and risks unintended commits or pushes.
✓ 安装机制
Instruction-only skill with no install steps and no code files. Lowest installation risk — nothing is written to disk by a package mechanism.
⚠ 凭证需求
The skill asks the agent to append 'Co-authored-by: Claude <noreply@anthropic.com>' and 'AI-model: <model-id>' using 'what's available from the environment' but declares no required environment variables. Expecting model or system context without declaring required env vars is an untracked data request. Including model identifiers and a fixed vendor email in commits may leak internal runtime metadata to remote Git servers and seems unnecessary for a generic git helper.
ℹ 持久化与权限
Metadata does not request always:true and the skill is user-invocable only — appropriate. However, combined with the SKILL.md's instruction to trigger on casual mentions and to perform networked operations (fetch/pull/rebase/push), autonomous invocation (the platform default) would give this skill the ability to modify and push remote repositories without strong explicit confirmation. That combination raises operational risk even though no permanent presence or special privileges are requested.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/4/1
NULL
● 无害
安装命令
点击复制官方npx clawhub@latest install proper-git-commit
镜像加速npx clawhub@latest install proper-git-commit --registry https://cn.longxiaskill.com