Roast Generator

ReviewAudited by ClawScan on May 10, 2026.

Overview

The roast generator itself is simple, but an included helper script also saves command history/data locally and exposes unrelated utility commands that the description does not disclose.

Review which script will actually be installed or run. Avoid entering sensitive personal information into this skill unless the local logging behavior is removed or clearly controlled, and consider deleting ~/.local/share/roast-generator if you test it.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Low

#ASI02: Tool Misuse and Exploitation

What this means

If this helper is used, the agent or user may create, search, list, or export local stored entries instead of only generating joke text.

Why it was flagged

The included CLI exposes generic local data-management commands, including mutation and export behavior, which are not part of the described roast-generation purpose.

Skill content

Commands:
  run
  config
  status
  init
  list
  add
  remove
  search
  export
...
cmd_add() {
    echo "$(date +%Y-%m-%d) $*" >> "$DB"; echo "  Added: $*"
}

Recommendation

Remove the unrelated utility commands or document them clearly and require explicit user direction before any local data is written or exported.

Low

#ASI06: Memory and Context Poisoning

What this means

Text entered into the CLI, including potentially sensitive names or prompts, can remain on disk in local data/history files.

Why it was flagged

The script creates persistent local storage and logs command arguments, but SKILL.md only describes stdout roast generation.

Skill content

DATA_DIR="${ROAST_GENERATOR_DIR:-${XDG_DATA_HOME:-$HOME/.local/share}/roast-generator}"
DB="$DATA_DIR/data.log"
mkdir -p "$DATA_DIR"
...
_log() { echo "$(date '+%m-%d %H:%M') $1: $2" >> "$DATA_DIR/history.log"; }

Recommendation

Disclose the local storage behavior, make logging opt-in or minimize what is logged, and provide a clear cleanup command or retention policy.

Info

#ASI04: Agentic Supply Chain Vulnerabilities

What this means

Users cannot easily tell which included script would run when invoking the documented command.

Why it was flagged

The skill documentation references a roast-generator CLI and the manifest includes scripts, but the artifacts do not define how that CLI is installed or which script is the entrypoint.

Skill content

No install spec — this is an instruction-only skill.

Recommendation

Provide an explicit install spec or entrypoint mapping, and ensure the installed command matches the documented roast-generator behavior.