Skillv0.1.0

ClawScan security

Promptfolio Summarize · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 12, 2026, 5:02 PM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill largely does what it says (scan local agent logs, extract 'framework sentences', assemble a profile and prepare a payload), but several instructions and behaviors expand its scope in privacy-impacting ways and a few inconsistencies reduce trust.
Guidance: This skill is functionally coherent with its description, but it will scan many local app data directories and write a local API token config. Before running or installing: 1) Inspect the updater path referenced (~/.promptfolio/update-check.sh) — the bundle does not include it; avoid running an updater you didn't review. 2) Review device-auth.sh and confirm the API URL (default https://promptfolio.club) is a service you trust; the script will save an api_token in ~/.promptfolio/config.json. 3) Be aware the discovery script will "peek inside" unknown dot-directories and include any conversation-like files without asking — consider running the discovery step yourself, in a terminal, to see what it finds before allowing any upload. 4) If you have sensitive data in app support folders or exported chats, run the analysis in an isolated account or verify which session files are being included and explicitly review the assembled payload (promptfolio_payload.json) before any network upload. 5) If you are uncomfortable, ask the skill developer for a mode that produces a dry-run listing of files to be analyzed and an explicit per-file confirmation UI before parsing or uploading.

Review Dimensions

Purpose & Capability: okThe skill's name/description (build a portrait from AI conversation history) aligns with the included scripts: discovery of session files, parsing/extracting messages, computing stats, assembling a payload. The bundled scripts implement the advertised functionality.
Instruction Scope: concernThe runtime instructions and scripts instruct broad, recursive scanning of many application data directories (~/Library/Application Support, hidden dotfolders, various agent config/data paths) and to "peek inside" unknown tool dirs and include them without asking. Although this is useful for maximizing coverage, it grants the skill authority to read many local files (potentially including sensitive information) beyond clearly scoped conversation exports. The SKILL.md also insists you run an "auto-updater" (~/.promptfolio/update-check.sh) before anything — that updater file is not present in the bundle, creating a mismatch and an opportunity for unexpected behavior if the missing updater is later provided or fetched externally.
Install Mechanism: okNo external install is required; the skill is instruction-driven and includes its own helper scripts. There is no download-from-URL installer in the package. Because code files are bundled, they will execute locally when invoked — that is expected for this kind of tool.
Credentials: concernThe skill declares no required env vars or credentials, but it expects and will create/read ~/.promptfolio/config.json (device-auth.sh writes an API token there) and uses the promptfolio API URL (default https://promptfolio.club). It reads a wide set of user data locations (many app support dirs and DBs). The request to auto-include unknown directories without asking is disproportionate for a privacy-sensitive operation and increases the risk of exposing unrelated personal data. There are optional environment overrides (PROMPTFOLIO_API_URL, IS_PUBLIC, etc.) but no clear, enforced confirmation step tying which files will be uploaded vs kept local.
Persistence & Privilege: noteThe skill does not request 'always: true'. It does create a per-user config (~/.promptfolio/config.json) to store an API token from a device auth flow, and writes temporary extraction artifacts under /tmp and _pf_parts. It does not modify other skills or global agent settings. Autonomous invocation is allowed by default (not flagged on its own) — combine that with broad local scanning and stored credentials to assess risk.