Consent
WarnAudited by ClawScan on May 18, 2026.
Overview
The skill appears local-only, but its cookie-consent description does not match a credential/security logging CLI that encourages storing secrets in persistent plaintext files.
Treat this as a plaintext local logging script, not a secure consent or password tool. Do not enter real passwords, API keys, or private consent records unless you are comfortable storing them under `~/.local/share/consent`; verify the install path and consider removing any generated logs if you test it.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user's agent may send credential or token information to a tool selected for consent-banner work.
The artifact expands from cookie consent/banner work into token, credential, and password-like handling, which is not clearly justified by the stated purpose.
description: "Build cookie consent banners and track opt-in compliance status..." ... "Security toolkit for managing consent records — generate tokens, check strength, rotate credentials..."
Limit this skill to consent records, or clearly separate and disclose any credential-handling functionality with explicit user approval.
Passwords, API keys, consent records, or other private values could remain in plaintext logs and later be shown by recent/search/export commands or read by other local processes.
The code persists raw command input and a history entry in local log files; the documented examples include credentials and passphrases, so this persistent memory can contain sensitive secrets.
DATA_DIR="${HOME}/.local/share/consent" ... echo "$ts|$input" >> "$DATA_DIR/store.log" ... _log "store" "$input"Do not store real secrets with this skill; add encryption or hashing where appropriate, redact sensitive input, and document retention and deletion controls.
Users may believe the tool protects stored consent or credential data when it only writes plaintext files locally.
Calling plaintext log storage 'secure' can mislead users or agents into trusting it with sensitive values.
`consent store <input>` | Store a value securely in the local data log ... All data is local plain-text. No network calls, no cloud sync.
Change the wording to state plainly that storage is unencrypted plaintext, and avoid presenting it as secure unless real protections are implemented.
Users may be uncertain what code is actually invoked when using `consent`.
The artifact includes a runnable-looking script and documents a CLI command, but does not declare how that command is installed or made available.
Install specifications: No install spec — this is an instruction-only skill. Code file presence: scripts/script.sh (11636 bytes).
Provide a clear install spec or setup instructions, and align metadata with the included script.