Skillv0.1.0

ClawScan security

Palest Ink - Activity Tracker · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 4, 2026, 6:20 AM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill's code and instructions match an activity-tracking purpose, but it requests invasive local access (browser history, shell history, VS Code, git repos), installs a persistent background agent and global git hooks, and the registry metadata doesn't declare these responsibilities—this combination is high-risk and deserves careful review before installing.
Guidance: This skill is coherent with an activity-tracking purpose, but it is invasive and persistent. Before installing: (1) Review collectors/install.sh and collectors/uninstall.sh to see exactly what files/plists and git hooks will be written and how to remove them. (2) Inspect any launchd plist the installer creates and confirm it runs only as your user (not root) and what command it runs. (3) Review the git_hook.sh content to ensure hooks don’t leak data or run unwanted commands. (4) Be aware the collectors read browser history DBs, shell histories, and repo contents and will fetch page content for visited URLs (collect_content.py uses urlopen). Although the package claims data stays local, these operations access sensitive data—consider installing only on a throwaway account/VM or after auditing the scripts. (5) Confirm the uninstall path works and that config/data are stored under ~/.palest-ink and not elsewhere. (6) If you’re uncomfortable with continuous monitoring or granting Full Disk Access/Accessibility, do not install. If you need help, ask for a line-by-line review of install.sh, the launchd plist, and the git hook scripts before running them.

Review Dimensions

Purpose & Capability: noteThe name/description (activity tracker) aligns with the included code: collectors for git, Chrome/Safari, shell history, VS Code, app focus, and file changes, plus reporting/query scripts. These capabilities legitimately require access to local history files, repos, and an installer that sets up background collection. However, the skill is invasive by design (reads browser DBs, shell histories, scans repos, fetches page contents) and the registry metadata did not declare required config paths or permissions (e.g., Full Disk Access/Accessibility on macOS), which is an important omission to surface to users.
Instruction Scope: noteSKILL.md instructions are scoped to checking installation, running local Python reporting/query/status scripts, and falling back to grepping the skill's own JSONL data files. The docs instruct the user to run collectors/install.sh to enable automatic tracking. The instructions themselves do not tell the agent to read arbitrary system files, but the collectors the installer deploys do read many sensitive local artifacts (browser DBs, ~/.zsh_history, tracked repos). That behavior is coherent with the stated purpose but is privacy-sensitive.
Install Mechanism: concernThere is no install spec in the registry, but the package contains an install.sh that (per README) will create ~/.palest-ink, install global git hooks, and install a launchd agent that runs every 15 seconds. Those installer actions modify user-level system configuration (background agents, global git hooks). Although self-contained (no external downloads shown), this is a high-impact install step and should be inspected before running.
Credentials: concernThe skill requests no environment variables in registry metadata, but the code reads many sensitive local resources (Chrome/Safari history DBs, shell history files, tracked repos, VS Code state) and requires macOS permissions (Full Disk Access, Accessibility) to function fully. That level of access is proportionate to an always-on activity monitor but is highly sensitive; the lack of declared required config/permission fields in metadata makes this mismatch noteworthy.
Persistence & Privilege: concernThe installer creates a persistent background collector (launchd agent every 15s) and installs global git hooks; this gives the skill long-lived monitoring capabilities and a wide blast radius if misused. The skill is not marked always:true in registry (good), but the persistent agent and hooks are inherent privileges and should be reviewed carefully.