git-commit-helper Security Report — Low Risk | ClawSafe

20 /100

git-commit-helper

智能 Git Commit Message 生成器 - 根据代码变更自动生成规范的 commit message

Legitimate git commit helper with undocumented shell execution via execSync and an unimplemented clipboard feature

Skill Namegit-commit-helper

Duration35.6s

Enginepi

✓

Safe to install

Declare shell:WRITE capability in SKILL.md and remove the misleading clipboard claim, or implement clipboard functionality

Findings 3 items

Severity	Finding	Location
Medium	Shell execution undocumented SKILL.md describes the skill as analyzing git diff without mentioning that it uses execSync to execute shell commands. This is a doc-to-code mismatch. `## 功能 - 🤖 智能分析：分析 git diff，理解代码变更内容` → Add 'Uses execSync for git commands' to the capability declarations in SKILL.md	`SKILL.md:1`
Low	Clipboard feature not implemented SKILL.md claims '⚡️ 一键使用：复制即可用' but the code has no clipboard integration. The skill returns messages via its API only. `// 导出技能接口 module.exports = { execute() { return ... } }` → Either implement clipboard functionality or remove the clipboard claim from SKILL.md	`index.js:1`
Info	Unusual file structure SKILL.md contains embedded JavaScript code within a comment block at the end of the file, which mirrors index.js content. `/** * Git Commit Helper - 智能 Git Commit Message 生成器 * ... */` → Remove duplicate code from SKILL.md; keep documentation separate from implementation	`SKILL.md:55`

Resource	Declared	Inferred	Status	Evidence
Shell	`NONE`	`WRITE`	✗ Violation	index.js:45-46 execSync('git rev-parse --git-dir')
Filesystem	`READ`	`READ`	✓ Aligned	index.js:50-53 git diff command reads repository state

6 files · 11.5 KB · 506 lines

JavaScript 2f · 324L Markdown 2f · 149L JSON 2f · 33L

├─ 📜 index.js JavaScript 256L · 6.0 KB

├─ 📋 package-lock.json JSON 13L · 221 B

├─ 📋 package.json JSON 20L · 365 B

├─ 📝 README.md Markdown 95L · 1.9 KB

├─ 📝 SKILL.md Markdown 54L · 1.1 KB

└─ 📜 test.js JavaScript 68L · 2.0 KB

Package	Version	Source	Known Vulns	Notes
`none`	`N/A`	package.json	No	No external dependencies - uses only Node.js built-in child_process module

✓ No credential harvesting or environment variable access

✓ No network exfiltration or C2 communication

✓ No base64 encoded payloads or eval() calls

✓ No access to sensitive paths (~/.ssh, ~/.aws, .env)

✓ No curl|bash or wget|sh remote script execution

✓ execSync usage is limited to git commands only (legitimate use case)

✓ No known vulnerabilities in dependencies (no external dependencies)

✓ MIT license with transparent author attribution