Roadmap
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The artifacts describe a local roadmap command-line logger with no network or credential use, but users should note its persistent local storage and unclear installation wiring.
This appears to be a benign local productivity tool. Before installing, verify how the `roadmap` command is wired to the provided script, and remember that anything you enter may be saved under the local roadmap data directory and included in exports.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user may need to verify that the command they run is actually the reviewed script and not some separate local binary or wrapper.
This matters because the skill is presented as a command-line tool and includes `scripts/script.sh`, but the artifacts do not define how the `roadmap` command is installed or connected to that script.
No install spec — this is an instruction-only skill.
Install or invoke it only through a trusted, reviewed source, and confirm the installed `roadmap` command maps to the provided script.
Roadmap notes may remain on disk and could be surfaced in later outputs, so secrets or sensitive business details entered into the tool may persist locally.
The script stores user-provided roadmap activity in persistent local log files that can later be searched, displayed, or exported.
_log() { echo "$(date '+%m-%d %H:%M') $1: $2" >> "$DATA_DIR/history.log"; }Avoid entering credentials or sensitive confidential details, and periodically review or delete the local data directory if needed.