Agent Work Receipts
PassAudited by ClawScan on May 10, 2026.
Overview
This instruction-only skill is coherent and safety-oriented, but users should notice that it runs external npm CLIs, executes project commands, and creates local log/receipt files that may contain sensitive output.
This skill appears safe and purpose-aligned for auditable coding work. Before using it, be comfortable running the referenced npm packages and your repo’s npm scripts, keep generated logs and receipts local unless intentionally shared, and review any generated artifacts before committing or posting them.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running these commands may download and execute third-party npm packages on the local repository.
The skill relies on external npm packages invoked through npx, and the artifact does not pin package versions. This is disclosed and central to the workflow, but users should be aware of the package provenance risk.
npx repo-agent-brief . > AGENT_BRIEF.md npx agent-runlog -- npm test npx @builtbyecho/trustlog run -- npm test
Review the referenced packages before use, consider pinning versions, and run in a controlled repo environment if supply-chain risk matters.
Project scripts may modify files, access the network, or run code already present in the repository.
The workflow instructs the agent to run local project commands through logging tools. This is purpose-aligned for coding verification, but npm scripts can execute arbitrary project-defined code.
npx agent-runlog -- npm test npx agent-runlog -- npm run lint npx agent-runlog -- npm run build
Use this in repositories you trust, inspect scripts before running them, and require approval for commands that change files, publish artifacts, or affect external services.
If committed or posted without review, generated artifacts could disclose private code details, test output, paths, or other sensitive information.
The skill creates persistent local logs, briefs, and receipts that may include repository details or command output. The skill appropriately warns users to keep them local and inspect before sharing.
Keep `.agent-runs/`, `.trustlog/`, `AGENT_BRIEF.md`, and `AGENT_HANDOFF.md` local unless the user wants them committed or shared. Inspect generated artifacts before public posting; redaction helps but is not a guarantee.
Keep generated artifacts local by default, review and redact them before sharing, and add them to .gitignore unless they are intentionally part of the handoff.