here.now
PassAudited by ClawScan on May 10, 2026.
Overview
The skill’s publishing, cloud storage, credentials, and sharing behavior are disclosed and purpose-aligned, but users should be careful about what files, tokens, and API keys they let an agent handle.
Install only if you want an agent to publish files to here.now and/or store files in here.now Drives. Before use, review the exact folder being published, avoid uploading secrets, understand that an API key may be saved locally, and keep Drive share tokens narrowly scoped and short-lived.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If an agent publishes the wrong folder, private or unnecessary files inside that folder could become part of the public site.
When given a directory, the publish helper recursively includes files from that directory for upload to a live site. The provided snippet shows only limited exclusions such as .DS_Store and .herenow/fork-meta.json.
elif [[ -d "$TARGET" ]]; then ... done < <(find "$TARGET" -type f -print0 | sort -z)
Publish only a clean output folder intended for the web, and review the folder contents before running the publish command.
A saved API key gives future agent sessions authority over the user’s here.now account features supported by that key.
The skill uses here.now account credentials and instructs the agent to persist an API key locally for future authenticated publishing and Drive access.
Optional environment variable: `$HERENOW_API_KEY` ... Optional credentials file: `~/.herenow/credentials` ... After receiving an API key, save it immediately
Only provide an API key if you want persistent account access, keep the credentials file private, and revoke or rotate the key if you no longer trust the environment.
Installing or updating through an external package source can run newer code than the reviewed artifact if the source changes.
The skill recommends a user-directed global install/update from an external package reference rather than a pinned install specification in the registry metadata.
To install or update (recommended): `npx skills add heredotnow/skill --skill here-now -g`
Verify the package source and version before running the npx install/update command, especially for global installs.
Sensitive, outdated, or incorrect stored files could persist and influence later work if reused by agents.
The Drive feature is explicitly for persistent cloud storage of agent context and memory-like files that may be reused across sessions and tools.
store private agent files in cloud folders where agents can store files (documents, context, memory, plans, assets, media, research, code, etc), share them with other agents, and continue across sessions and tools
Store only information you intend to persist, periodically review Drive contents, and avoid using stored notes as unquestioned instructions.
A Drive share token can let another agent read or write the shared Drive scope, and a full-Drive token is especially powerful.
The skill supports bearer-token based sharing between agents, including the possibility of full-Drive access when no path prefix is set.
Use scoped Drive tokens for agent-to-agent handoff ... A `pathPrefix` of `null` means full-Drive access.
Share Drive tokens only with trusted agents, prefer narrow prefixes and short TTLs, and avoid full-Drive write access unless truly needed.