Hash
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This checksum skill appears purpose-aligned, with the main thing to notice being that it keeps local history and batch manifest files.
This looks like a normal local checksum utility. Before installing, be aware that batch mode can process an entire chosen directory and that the tool keeps local history and manifests under ~/.local/share/hash; clear those files if you do not want that metadata retained.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent or user selects a large or sensitive directory, the tool will read file contents to compute hashes and print/store paths and hashes.
The batch command recursively enumerates files in a user-supplied directory. This is expected for generating directory checksums, but it can process many local files if pointed at a broad path.
done < <(find "${dir}" -type f -print0 | sort -z)Use batch mode only on directories you intentionally want checksummed, and avoid broad home-directory or system-wide paths unless that is your goal.
File names, paths, and hash results may remain on disk in the user's home directory and could reveal what files were checked.
The script persists a local history log containing operation details such as file paths and hash values. This supports the documented history command, but it retains local metadata after use.
DATA_DIR="${HOME}/.local/share/hash"
HISTORY_FILE="${DATA_DIR}/history.log"
log_operation "${algo}" "file=${input} hash=${h}"Review or delete ~/.local/share/hash/history.log and batch manifest files if you do not want checksum activity retained.