Trust Log
PassAudited by ClawScan on May 10, 2026.
Overview
The skill is coherent and local-first, but it relies on an external npm CLI and creates local audit receipts that users should inspect before sharing.
This skill appears appropriate for creating local audit receipts. Before using it, be comfortable running the external npm package, approve only commands you actually want executed, and review generated .trustlog files before sharing them publicly.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A poorly chosen command could still affect the local project even if it is being logged.
The skill can wrap arbitrary local commands. This is central to its audit-log purpose and the instructions advise non-destructive use, but users should still ensure only intended commands are run.
npx @builtbyecho/trustlog run -- <command> [args...]
Use the wrapper only for commands you would otherwise approve, and review command intent before execution.
Users depend on the npm package provenance and current package contents when running the skill.
The documented workflow uses npx to run an external npm package, while the supplied skill has no local code files or install spec for review.
npx @builtbyecho/trustlog run -- npm test
Verify the npm package source/version if supply-chain assurance matters, and consider pinning a trusted version.
Receipts may contain sensitive project information if shared without review.
The skill stores reusable local JSON/Markdown receipts that may include command results or summaries, and the artifact itself warns that redaction is not a substitute for inspection.
Receipts redact common secrets and strip thinking-looking blocks, but still inspect before posting publicly.
Inspect generated .trustlog files before posting them in PRs, tickets, or chat.