Shadow
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This appears to be a benign CSS shadow generator that runs a local Bash/Python CLI and stores saved presets in a disclosed local file.
Before installing, be comfortable running the local scripts/script.sh CLI, make sure Bash and Python 3 are available, and know that saved shadow presets are written to ~/.shadow/data.jsonl. The provided artifacts do not show credential access, network exfiltration, or unrelated system changes.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the skill executes local script code on the user's machine.
Using the skill executes a local Bash script that launches embedded Python code. This is expected for a CLI generator, but users should understand it runs local code.
case "$CMD" in
box|text|drop|inset|layer|preset|random|animate|export|preview)
python3 - "$CMD" "$@" << 'PYEOF'Use only the documented commands you intend to run, and ensure you are comfortable running this local script.
The skill may fail or behave differently on systems without Bash or Python 3 available.
The skill requires Bash and Python, while the registry requirements list no required binaries. This is an under-declared dependency rather than suspicious behavior.
## Prerequisites - Python 3.8+ - Bash shell
Confirm Bash and Python 3 are installed before use; publishers should declare these requirements in metadata.
Saved shadow presets remain on disk and can affect future exports, previews, animations, or layered shadows.
The skill stores reusable shadow definitions locally. Persistent data is disclosed and purpose-aligned, but later commands may reuse saved values.
All saved shadow presets and configurations are persisted in `~/.shadow/data.jsonl`.
Review or clear ~/.shadow/data.jsonl if you do not want prior generated presets reused.