Back to skill
Skillv2.0.2
ClawScan security
Step · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 18, 2026, 10:51 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's files and runtime instructions are consistent with a local, offline step-tracking CLI that stores data under ~/.local/share/step and do not request unrelated credentials or network access.
- Guidance
- This skill appears to be a simple local CLI that stores step/fitness logs under ~/.local/share/step and operates offline. Before installing, review the full script if you want to confirm there are no hidden network calls or cron/scheduling behavior (the provided snippet shows only local file I/O and standard utilities like grep/du/tail). Expect the tool to create and append log files in that directory; back up or remove that directory if you stop using the skill. Autonomous agent invocation is allowed by default on the platform, but this skill does not request extra privileges or external credentials.
Review Dimensions
- Purpose & Capability
- okName/description (step logging, goals, charts) matches the included shell script and SKILL.md: the tool logs entries, shows stats, exports data, and stores everything under ~/.local/share/step. No unrelated capabilities (cloud, cloud creds, system-wide config access) are requested.
- Instruction Scope
- okSKILL.md instructs use of the local 'step' CLI and references only the DATA_DIR; the script reads/writes files only inside that directory and runs standard local utilities (du, tail, grep, wc). The instructions do not instruct the agent to read unrelated system files, environment secrets, or send data externally.
- Install Mechanism
- okNo install spec is provided (instruction-first skill). The included script is a plain Bash script; there's no download-from-URL or package install step that would write or execute remote code.
- Credentials
- okNo environment variables, credentials, or config paths are required. The script uses HOME implicitly to build a local data directory, which is appropriate for a per-user CLI tool.
- Persistence & Privilege
- okSkill is not always-enabled and does not request privileged or system-wide persistence. It writes only to its own data directory (~/.local/share/step) and does not modify other skills or global agent settings.