git-commit-helper 安全扫描报告 — 低风险 | ClawSafe

20 /100

git-commit-helper

智能 Git Commit Message 生成器 - 根据代码变更自动生成规范的 commit message

Legitimate git commit helper with undocumented shell execution via execSync and an unimplemented clipboard feature

技能名称git-commit-helper

分析耗时35.6s

引擎pi

✓

可以安装

Declare shell:WRITE capability in SKILL.md and remove the misleading clipboard claim, or implement clipboard functionality

安全发现 3 项

严重性	安全发现	位置
中危	Shell execution undocumented SKILL.md describes the skill as analyzing git diff without mentioning that it uses execSync to execute shell commands. This is a doc-to-code mismatch. `## 功能 - 🤖 智能分析：分析 git diff，理解代码变更内容` → Add 'Uses execSync for git commands' to the capability declarations in SKILL.md	`SKILL.md:1`
低危	Clipboard feature not implemented SKILL.md claims '⚡️ 一键使用：复制即可用' but the code has no clipboard integration. The skill returns messages via its API only. `// 导出技能接口 module.exports = { execute() { return ... } }` → Either implement clipboard functionality or remove the clipboard claim from SKILL.md	`index.js:1`
提示	Unusual file structure SKILL.md contains embedded JavaScript code within a comment block at the end of the file, which mirrors index.js content. `/** * Git Commit Helper - 智能 Git Commit Message 生成器 * ... */` → Remove duplicate code from SKILL.md; keep documentation separate from implementation	`SKILL.md:55`

资源类型	声明权限	推断权限	状态	证据
命令执行	`NONE`	`WRITE`	✗ 越权	index.js:45-46 execSync('git rev-parse --git-dir')
文件系统	`READ`	`READ`	✓ 一致	index.js:50-53 git diff command reads repository state

6 文件 · 11.5 KB · 506 行

JavaScript 2f · 324L Markdown 2f · 149L JSON 2f · 33L

├─ 📜 index.js JavaScript 256L · 6.0 KB

├─ 📋 package-lock.json JSON 13L · 221 B

├─ 📋 package.json JSON 20L · 365 B

├─ 📝 README.md Markdown 95L · 1.9 KB

├─ 📝 SKILL.md Markdown 54L · 1.1 KB

└─ 📜 test.js JavaScript 68L · 2.0 KB

包名	版本	来源	已知漏洞	备注
`none`	`N/A`	package.json	否	No external dependencies - uses only Node.js built-in child_process module

✓ No credential harvesting or environment variable access

✓ No network exfiltration or C2 communication

✓ No base64 encoded payloads or eval() calls

✓ No access to sensitive paths (~/.ssh, ~/.aws, .env)

✓ No curl|bash or wget|sh remote script execution

✓ execSync usage is limited to git commands only (legitimate use case)

✓ No known vulnerabilities in dependencies (no external dependencies)

✓ MIT license with transparent author attribution