Agent Native Design
AdvisoryAudited by Static analysis on May 5, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If you apply this guidance to real CLIs, agents may be given tokens that let them act with the token holder's permissions.
The skill teaches CLI designs where agents may operate with delegated tokens or profiles from environment-level configuration. This is expected for auth-aware CLI design, but it touches credential authority.
Human/system obtains auth token or credentials ... Set trusted env vars: token, profile, safety mode
Use short-lived, least-privilege tokens; clearly document required env vars; keep the human or platform in charge of login and token rotation.
If you approve an update, new upstream content could alter how the skill guides your agent.
The README documents an update-check/pull workflow for Git-installed copies. It is disclosed and requires consent, but accepting an update changes the installed skill's future instructions.
Notifies and asks — surfaces the actual version delta (`vX.Y.Z → vA.B.C`) and pulls only with explicit user consent
Install from a trusted source, prefer pinned or registry versions when possible, and review version changes before approving a pull.