Back to skill
Skillv2.1.0
ClawScan security
Long-term Task Progress Manager · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousMar 16, 2026, 3:33 PM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's declared purpose (managing project documents) matches its instructions, but the runtime guidance advocates passive background monitoring and unspecific workspace/“error log” reads without clear scope or user consent, which is a privacy/overreach concern.
- Guidance
- This skill appears to be what it says (project progress management) but asks the agent to do passive background monitoring and to "read workspace state" and "recent error logs" with no clear scope. Before installing or enabling it: - Ask the author to clarify and limit the filesystem scope (explicitly restrict monitoring to the project directory). - Require explicit user consent or prompts for passive autosaves (disable "without user awareness" mode by default). - Inspect and control the .ltpm/config.json defaults (backup count, thresholds, enabled:true/false). - If you are concerned about privacy, run it in a sandbox or restrict the agent's file access so it cannot read system logs or unrelated directories. - Verify that optional tools (fswatch, jq, python3) are only used locally and not automatically installed from untrusted sources. If the author can demonstrate that background monitoring is strictly limited to the project directory and that autosaves are opt-in or at least notify the user, this would reduce the risk and could change the assessment to benign.
Review Dimensions
- Purpose & Capability
- noteThe name/description (long-term project progress management) align with the files and behaviors described (MISSION.md, PROGRESS.md, NEXT_STEPS.md, snapshots). It is plausible that a progress manager would inspect project files and create autosave snapshots. However, the SKILL.md repeatedly assumes integration with an "always-on background service" (HEARTBEAT.md) even though the skill requests no explicit platform-level permissions or binaries; that platform integration is platform-specific and not justified by any declared requirements.
- Instruction Scope
- concernInstructions call for passive background monitoring: "monitor HEARTBEAT.md," "read current workspace state (last modified files, recent error logs)," and produce automatic snapshots "without user awareness." The guidance is vague about the exact filesystem scope and could cause the agent to read files outside the intended project directory (including system or log files). The passive, no-user-awareness auto-save behavior and loose definition of "workspace state" are the primary red flags.
- Install Mechanism
- noteThis is an instruction-only skill with no install spec or code files (low install risk). READMEs mention optional tools (fswatch, jq, python3) for convenience; those are reasonable for file-watching and JSON handling but are optional and not enforced. No downloads or external installers are specified.
- Credentials
- okThe skill requests no environment variables, credentials, or config paths. It asks the user to create a per-project config file (.ltpm/config.json) which is proportionate. There are no declared secret inputs or unrelated credential requirements.
- Persistence & Privilege
- noteThe skill is not always:true and does not request to modify other skills or global agent settings. However, the design repeatedly encourages background/autonomous monitoring and autosave snapshots; combined with autonomous invocation (the platform default), that behavior increases potential privacy impact if the implementation is given broad filesystem scope. The skill itself does not claim persistent installation or cross-skill modification.