Dotfiles
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This skill appears to store local log entries, but it is advertised as a dotfile backup/sync/versioning tool, which could mislead users into thinking real backups or restores are happening.
Treat this as a local logging utility, not a real dotfile backup or sync system, unless the publisher provides clearer implementation. Do not rely on it to protect or restore files, and avoid entering secrets or sensitive configuration details into its logs.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user or agent may believe dotfiles were backed up or restored when only a text record was saved, which could lead to data loss or a failed machine migration.
The skill is advertised as performing dotfile backup, sync, restore, and version tracking, but its own command descriptions say backup and restore only log events. That discrepancy can mislead users about whether their files are actually protected.
description: "Backup, sync, and version-track dotfiles across multiple machines..." ... `dotfiles backup <input>` | Log a backup event ... `dotfiles restore <input>` | Log a restore operation
Either rename and describe the skill as a local operations log, or implement clearly scoped backup/sync/restore behavior with explicit source paths, destinations, confirmation, verification, and restore instructions.
Local logs or exports could reveal configuration, incident, or environment details to anyone with access to the user account or backup copies.
The skill persistently stores user-provided operational notes and can export them. This is disclosed and purpose-aligned for a logging tool, but the stored content may contain sensitive system details if users enter them.
All data is stored in `~/.local/share/dotfiles/` ... Per-command logs ... Activity history ... Exports — `export.json`, `export.csv`, or `export.txt`
Do not enter secrets, tokens, passwords, or sensitive host details. Review and delete logs or exports when they are no longer needed.
The documented command may not be available after installation, or users may need to manually decide how to install and run the included script.
The skill documents a `dotfiles` command and includes a shell script, but the registry provides no installation specification or required binary declaration. This is not malicious by itself, but it leaves command setup and provenance less clear.
No install spec — this is an instruction-only skill.
The publisher should provide an explicit install mechanism or clear manual setup instructions. Users should inspect the script and verify the source before running it.