stream-formatter
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill appears to only format streaming text, with a small supply-chain note for its external validation import and a statefulness note for its in-memory buffer.
This looks safe for its stated purpose of improving streamed chat output. Before installing, note that it uses an external pinned Zod import despite claiming zero external dependencies, and make sure the formatter state is reset between separate conversations or users.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill’s availability and integrity partly depend on the referenced external package source.
The skill depends on an external Deno-hosted module at runtime/build time. It is version-pinned and used for input validation, so this is purpose-aligned, but it is still a supply-chain dependency users should be aware of.
import { z } from "https://deno.land/x/zod@v3.22.4/mod.ts";Declare the external dependency in the skill metadata or documentation, keep it pinned, and consider vendoring or lockfile verification for stronger provenance.
If the same runtime is reused without reset, prior streamed text could affect later formatting or de-duplication behavior.
The formatter stores recent stream content in module-level variables across process calls until init or reset clears them. This is expected for buffering, but it creates short-lived retained context.
let buffer = ""; let lastOutput = ""; ... buffer += chunk; ... lastOutput = output;
Call init or reset at the start and end of each stream, and avoid sharing one formatter state across unrelated users or conversations.