Tech Debt Tracker
PassAudited by ClawScan on May 1, 2026.
Overview
This is a coherent technical-debt scanner; it appears benign, but it runs local scripts over your code and can create reports containing private project details.
This skill is reasonable to use for technical-debt analysis if you are comfortable running local Python scripts over the target repository. Keep scans scoped, configure exclusions, and treat generated JSON/dashboard files as potentially sensitive project artifacts.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If pointed at a broad or sensitive directory, the tool may analyze and summarize private source files or security findings into an output report.
The scanner accepts a user-supplied filesystem path and can write a report. This is central to the tool's purpose, but it means the user controls the scope and should avoid scanning unintended directories.
python scripts/debt_scanner.py /path/to/codebase --config config.json --output report.json
Run it only on intended repositories, use ignore patterns for secrets/build artifacts/vendor folders, and review generated reports before sharing them.
The user is running local code that can read the selected project files and produce output artifacts.
Using the skill involves executing bundled local Python scripts. The execution is documented and user-directed, with no evidence of automatic or hidden execution.
python scripts/debt_scanner.py ~/my-project --output initial_scan.json
Review the bundled scripts if provenance matters, run them from a trusted checkout, and avoid granting elevated privileges unless necessary.
It may be harder for a user to independently verify the origin or maintenance history of the bundled scripts.
The artifacts do not provide a public source or homepage, and the registry does not declare an install mechanism, even though local scripts are included and documented for use.
Source: unknown; Homepage: none; No install spec — this is an instruction-only skill.
Treat the bundled scripts as the source of truth, inspect them before use in sensitive repositories, and prefer running them in a normal user context.
Generated JSON or dashboard files could reveal private codebase structure or sensitive security-debt information if shared too broadly.
The dashboard workflow stores and reuses scan results over time. These persistent reports may include project file paths, debt descriptions, and security-related findings.
python scripts/debt_dashboard.py scan1.json scan2.json scan3.json --output dashboard.json
Store scan outputs in an appropriate private location, avoid publishing reports that expose sensitive findings, and periodically prune stale historical data.