git-commit-ai 安全扫描报告 — 低风险 | ClawSafe

10 /100

git-commit-ai

根据 git diff 自动生成符合规范的 commit message

This is a legitimate git commit message generation tool with accurately declared functionality. The code performs git operations, detects sensitive patterns in diffs for user warnings, and installs a Git hook for reminders. No malicious behavior detected.

技能名称git-commit-ai

分析耗时30.7s

引擎pi

✓

可以安装

This skill can be used safely. The sensitive pattern detection is a protective feature, not a threat.

安全发现 1 项

严重性	安全发现	位置
提示	Sensitive pattern detection is protective 敏感访问 The code defines SENSITIVE_PATTERNS to detect passwords, API keys, tokens, private keys, and database connection strings in diffs. This is a user-protective feature that warns about accidentally committed secrets - it does NOT exfiltrate them. `const SENSITIVE_PATTERNS = [...];` → This is legitimate security-aware behavior, not a threat.	`index.js:35`

资源类型	声明权限	推断权限	状态	证据
命令执行	`WRITE`	`WRITE`	✓ 一致	index.js:18 execSync usage for git commands (declared in SKILL.md)
文件系统	`READ`	`WRITE`	✓ 一致	index.js:266-297 writeFileSync for .git/hooks/prepare-commit-msg (declared via -…
环境变量	`NONE`	`NONE`	—	No process.env access observed
网络访问	`NONE`	`NONE`	—	No network requests in code

5 项发现

🔗

中危外部 URL 外部 URL

https://img.shields.io/badge/License-MIT-yellow.svg

README.md:7

🔗

中危外部 URL 外部 URL

https://opensource.org/licenses/MIT

README.md:7

🔗

中危外部 URL 外部 URL

https://img.shields.io/badge/Node-%3E%3D16-brightgreen.svg

README.md:8

🔗

中危外部 URL 外部 URL

https://nodejs.org/

README.md:8

🔗

中危外部 URL 外部 URL

https://git-scm.com/docs/git-diff

skill.md:151

目录结构

4 文件 · 23.7 KB · 908 行

JavaScript 1f · 500L Markdown 2f · 386L JSON 1f · 22L

├─ 📜 index.js JavaScript 500L · 14.3 KB

├─ 📋 package.json JSON 22L · 421 B

├─ 📝 README.md Markdown 227L · 5.3 KB

└─ 📝 skill.md Markdown 159L · 3.7 KB

依赖分析 1 项

包名	版本	来源	已知漏洞	备注
`Node.js builtins only`	`N/A`	builtin	否	Uses only fs, path, child_process, module - no external packages

安全亮点

✓ All shell commands (git diff, git rev-parse) are explicitly for the declared git commit message feature

✓ Git hook installation is declared via --install flag and creates only a benign reminder script

✓ Sensitive pattern detection warns users about accidentally committed secrets - protective behavior

✓ No external network connections or data exfiltration

✓ No obfuscation, no base64 execution, no reverse shell

✓ No access to sensitive paths like ~/.ssh, ~/.aws, or .env

✓ Minimal dependencies (only Node.js built-in modules)

✓ Documentation accurately reflects all functionality