Fish
PassAudited by ClawScan on May 1, 2026.
Overview
Fish appears to be an offline local command-line logging utility, with the main things to notice being persistent local history and an unclear install path for its included script.
This looks safe to install if you want a simple local logging utility, but treat anything you enter as saved history and verify how the included shell script becomes the `fish` command before relying on it.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anything entered into the tool may remain in local history until the user deletes it.
The skill intentionally keeps persistent local logs of activity. This is disclosed and purpose-aligned, but users should avoid passing secrets or sensitive data they do not want saved locally.
Automatic history and activity logging ... All data is stored locally at `~/.local/share/fish/`. Each action is logged with timestamps.
Do not use this skill for passwords, tokens, private keys, or other secrets unless you are comfortable with them being stored in local log files.
The user may need to verify what executable will actually run when using the `fish` command.
The package includes a shell script but does not declare how the documented `fish` command is installed or bound to that script. This is a clarity/provenance note, not evidence of malicious behavior.
Install specifications: No install spec — this is an instruction-only skill. Code file presence: scripts/script.sh
Before installing or invoking it, confirm how `scripts/script.sh` is installed and whether it conflicts with any existing `fish` command on the system.