Config
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill is mostly a local config-log utility, but its documented remove command appears to falsely report deletion without actually removing stored entries.
Use this only for non-secret configuration notes unless you have reviewed the local log files. Be aware that `config remove` does not appear to actually delete entries, so manually inspect or edit the data log if you need to remove sensitive information.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user could think a configuration entry, possibly containing sensitive information, was removed when it is still stored in the local data log.
The implementation of the remove command does not modify data.log or delete any matching entry; it only prints 'Removed' and records history, despite the skill documentation describing `config remove <item>` as removing a specified entry.
cmd_remove() {
echo " Removed: $1"
_log "remove" "${1:-}"
}Fix the remove command to actually delete the requested entry or change the documentation/output to clearly state that removal is not implemented.
Configuration values entered into the tool can remain on disk and may be exported later.
The skill intentionally persists user-provided configuration entries and command history in local files. This is disclosed and purpose-aligned, but it may retain sensitive configuration values if users add them.
Data log: `$DATA_DIR/data.log` — stores all added entries with timestamps - History log: `$DATA_DIR/history.log` — timestamped record of every command executed
Avoid storing secrets such as passwords, tokens, or full connection strings unless you are comfortable with them being kept in local log files.