git-commit-ai Security Report — Low Risk | ClawSafe

10 /100

git-commit-ai

根据 git diff 自动生成符合规范的 commit message

This is a legitimate git commit message generation tool with accurately declared functionality. The code performs git operations, detects sensitive patterns in diffs for user warnings, and installs a Git hook for reminders. No malicious behavior detected.

Skill Namegit-commit-ai

Duration30.7s

Enginepi

✓

Safe to install

This skill can be used safely. The sensitive pattern detection is a protective feature, not a threat.

Findings 1 items

Severity	Finding	Location
Info	Sensitive pattern detection is protective Sensitive Access The code defines SENSITIVE_PATTERNS to detect passwords, API keys, tokens, private keys, and database connection strings in diffs. This is a user-protective feature that warns about accidentally committed secrets - it does NOT exfiltrate them. `const SENSITIVE_PATTERNS = [...];` → This is legitimate security-aware behavior, not a threat.	`index.js:35`

Resource	Declared	Inferred	Status	Evidence
Shell	`WRITE`	`WRITE`	✓ Aligned	index.js:18 execSync usage for git commands (declared in SKILL.md)
Filesystem	`READ`	`WRITE`	✓ Aligned	index.js:266-297 writeFileSync for .git/hooks/prepare-commit-msg (declared via -…
Environment	`NONE`	`NONE`	—	No process.env access observed
Network	`NONE`	`NONE`	—	No network requests in code

5 findings

🔗

Medium External URL 外部 URL

https://img.shields.io/badge/License-MIT-yellow.svg

README.md:7

🔗

Medium External URL 外部 URL

https://opensource.org/licenses/MIT

README.md:7

🔗

Medium External URL 外部 URL

https://img.shields.io/badge/Node-%3E%3D16-brightgreen.svg

README.md:8

🔗

Medium External URL 外部 URL

https://nodejs.org/

README.md:8

🔗

Medium External URL 外部 URL

https://git-scm.com/docs/git-diff

skill.md:151

File Tree

4 files · 23.7 KB · 908 lines

JavaScript 1f · 500L Markdown 2f · 386L JSON 1f · 22L

├─ 📜 index.js JavaScript 500L · 14.3 KB

├─ 📋 package.json JSON 22L · 421 B

├─ 📝 README.md Markdown 227L · 5.3 KB

└─ 📝 skill.md Markdown 159L · 3.7 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`Node.js builtins only`	`N/A`	builtin	No	Uses only fs, path, child_process, module - no external packages

Security Positives

✓ All shell commands (git diff, git rev-parse) are explicitly for the declared git commit message feature

✓ Git hook installation is declared via --install flag and creates only a benign reminder script

✓ Sensitive pattern detection warns users about accidentally committed secrets - protective behavior

✓ No external network connections or data exfiltration

✓ No obfuscation, no base64 execution, no reverse shell

✓ No access to sensitive paths like ~/.ssh, ~/.aws, or .env

✓ Minimal dependencies (only Node.js built-in modules)

✓ Documentation accurately reflects all functionality

Scan Report

Findings 1 items

File Tree

Dependencies 1 items

Security Positives