Skillv2.0.1

ClawScan security

Sleep Tracker · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 18, 2026, 10:50 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill appears to implement the claimed sleep-tracking and advice CLI using local shell scripts without network calls or external credentials, but it writes user data and command history to disk and the provided sleep.sh content was truncated in the review so full inspection is recommended.
Guidance: This skill is internally consistent with its stated goal and runs entirely locally, but review the included scripts before installing. Key things to consider: (1) All user entries and commands are written to data.log and history.log in your data directory — do not log sensitive secrets. (2) The journal file in /tmp may be accessible to other local users on multi-user systems; consider setting SLEEP_TRACKER_DIR to a secure location with correct permissions. (3) There is no installer: you (or the agent) must place the scripts into PATH to use the 'sleep-tracker' CLI. (4) The provided sleep.sh content was truncated in the materials reviewed — if possible, inspect the full sleep.sh for any network, exec, or unexpected behavior before running. If you want higher confidence, run the scripts in a sandboxed account or container and/or audit the complete sleep.sh for hidden network calls or other surprises.

Review Dimensions

Purpose & Capability: okName/description (sleep analysis, tips, scheduling, journaling) matches the provided CLI behavior in SKILL.md and the included bash scripts. The files implement logging, analysis, tips, and export functionality that are coherent with the stated purpose.
Instruction Scope: noteInstructions and scripts operate locally and reference only SLEEP_TRACKER_DIR (default ~/.local/share/sleep-tracker) and /tmp/sleep_journal.txt. They log all commands to history.log and store data.log; this is expected for a tracker but is a privacy consideration: entries and reminders are persisted and history.log records commands (potentially containing user-provided text).
Install Mechanism: okNo install spec (instruction-only). Two shell scripts are included; no external downloads or package installs. The skill relies only on standard POSIX utilities which is proportionate to its purpose. Note: there is no automated installer — user/agent must place scripts into PATH or invoke them explicitly.
Credentials: okNo credentials or special environment variables required. The single environment override SLEEP_TRACKER_DIR is reasonable for choosing a storage directory. No unrelated secrets/config paths are requested.
Persistence & Privilege: noteSkill does not request always:true and does not change other skills. It writes data to a per-user directory (~/.local/share/sleep-tracker by default) and temporary journal in /tmp. This is expected but means persistent local data is created and should be considered before use.