Skillv2.0.1

ClawScan security

Succession Plan · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 18, 2026, 10:51 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill implements a local, terminal-based succession-planning tool that is consistent with its description; nothing in the files indicates network access, credential requests, or other unrelated capabilities, but it does log all commands/data locally (history.log) and has a small documentation inconsistency about dependencies.
Guidance: This skill appears to do what it says: a lightweight local CLI planner that logs items and a history of commands to ~/.local/share/succession-plan by default. Before installing or using it: 1) Be aware that history.log will record every command and its arguments (candidate names, assessments, etc.) — avoid logging highly sensitive PII unless you accept local storage. 2) The code calls python3 but the top-level text is slightly inconsistent about dependencies; ensure you have Bash 4+ and python3 available. 3) If you prefer data elsewhere, set SUCCESSION_PLAN_DIR to a secure location and consider filesystem permissions or encryption for confidential records. 4) As with any script, you can review the two provided scripts (scripts/script.sh and scripts/succession.sh) before running them to confirm there are no changes you don’t expect.

Review Dimensions

Purpose & Capability: okName and description match the provided scripts and SKILL.md: a simple CLI task/logging tool for succession planning. The scripts only read/write local files under a per-user data directory and provide planning templates. No unrelated services, credentials, or remote endpoints are requested.
Instruction Scope: noteRuntime instructions and scripts operate within the stated purpose and only touch the declared data directory. However, every command is appended to history.log (timestamped), so sensitive candidate names or confidential notes will be recorded. Also, SKILL.md claims "zero dependencies" in one place but the code requires Bash 4+ and invokes python3 (the Requirements section mentions Bash but not python3), which is a small documentation mismatch to be aware of.
Install Mechanism: okNo install spec is provided (instruction-only), and included shell/Python scripts are plain text. There is no download-from-URL or package installation step in the manifest. The risk surface is limited to the provided script contents being executed on the user's system.
Credentials: okThe skill requests no credentials or special environment variables. It supports optional SUCCESSION_PLAN_DIR and honors XDG_DATA_HOME and HOME for data location — these are appropriate for its function.
Persistence & Privilege: okThe skill does not request always:true, does not modify other skills or system-wide settings, and only creates a per-user data directory (default ~/.local/share/succession-plan). That directory stores data.log and history.log locally.