local-media-cataloger
PassAudited by ClawScan on May 1, 2026.
Overview
This skill appears to be a straightforward local media cataloger, but its generated manifest can contain private filenames, paths, sizes, and timestamps.
This looks safe for its stated purpose. Before installing or using it, be careful which folder you point it at, store the manifest somewhere private, and review the output before sharing because filenames, paths, and timestamps can reveal sensitive project details.
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The manifest could reveal private project names, folder structures, media filenames, and activity dates if it is shared or stored in an unsafe location.
The script recursively catalogs files under the user-provided folder and writes a manifest containing local paths, filenames, sizes, and timestamps.
for p in root.rglob("*") ... "path": str(p), "filename": p.name ... "created_at" ... "modified_at" ... with open(args.out, "w"Run it only on the intended media folder, choose a controlled output path, and review the generated CSV/JSON before sharing it with others or reusing it in later agent tasks.