Agent Runlog
PassAudited by ClawScan on May 10, 2026.
Overview
This skill is a coherent shell-command logging helper, but users should notice that it runs an external npx CLI and stores local command logs that may contain private output.
Before installing or using this skill, verify that the `agent-runlog` npm package is trustworthy, consider pinning a version, keep `.agent-runs/` out of commits and shared channels, and only disable redaction or wrap destructive commands with explicit approval.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A wrapped command can still change files, run scripts, or perform destructive actions if the underlying command does so.
The skill documents a wrapper that can run arbitrary shell commands. This is central to the stated purpose, and the skill adds a warning about destructive commands, but users should still treat wrapped commands as normal shell execution.
npx agent-runlog -- <command> [args...]
Use it mainly for expected test, lint, build, and debugging commands, and require explicit approval before wrapping commands that modify or delete important data.
If the resolved npm package or version is not the one the user expects, the agent could execute unreviewed third-party code.
The documented workflow executes an unpinned external CLI through `npx`; the provided artifacts include no install spec or package code for review. This is common for CLI-based skills but leaves package provenance and version choice to the user environment.
npx agent-runlog -- npm test
Verify the npm package source and consider pinning a trusted version before using it in sensitive projects.
Private command output, error messages, paths, or git state could remain on disk and be accidentally shared or committed.
The skill persists command output summaries locally. The documentation says redaction is on by default and warns to keep private logs local, so this is disclosed and purpose-aligned, but the stored logs may still include sensitive project or environment details.
It writes a small local ledger under `.agent-runs/<timestamp>/`.
Keep `.agent-runs/` local, exclude it from commits if needed, review summaries before sharing, and avoid `--no-redact` unless explicitly required.