Fish
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: fish Version: 2.0.0 The 'Fish' skill bundle is a simple command-line utility designed for logging, searching, and exporting user-provided data locally. The script `scripts/script.sh` manages text-based logs in `~/.local/share/fish/` and provides basic statistics and export functionality (JSON/CSV/TXT). No evidence of data exfiltration, remote code execution, or malicious prompt injection was found; the code strictly adheres to its stated purpose of offline data management.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anything entered into the tool may remain in local history until the user deletes it.
The skill intentionally keeps persistent local logs of activity. This is disclosed and purpose-aligned, but users should avoid passing secrets or sensitive data they do not want saved locally.
Automatic history and activity logging ... All data is stored locally at `~/.local/share/fish/`. Each action is logged with timestamps.
Do not use this skill for passwords, tokens, private keys, or other secrets unless you are comfortable with them being stored in local log files.
The user may need to verify what executable will actually run when using the `fish` command.
The package includes a shell script but does not declare how the documented `fish` command is installed or bound to that script. This is a clarity/provenance note, not evidence of malicious behavior.
Install specifications: No install spec — this is an instruction-only skill. Code file presence: scripts/script.sh
Before installing or invoking it, confirm how `scripts/script.sh` is installed and whether it conflicts with any existing `fish` command on the system.