Web Profiler Bundle
Security checks across malware telemetry and agentic risk
Overview
This appears to be a local command-line logging helper for profiling notes, with no evidence of network access or credential use, but it persistently stores entered data and has some packaging/version inconsistencies.
This skill looks benign as a local logging utility. Before installing, be aware that it stores every entered profiling note in `~/.local/share/web-profiler-bundle/`, and the packaging metadata is sparse and somewhat inconsistent. Avoid putting secrets, tokens, private customer data, or sensitive query contents into the logs.
VirusTotal
63/63 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Profiling notes entered through the tool may remain on disk and could be seen by anyone or anything with access to the user's local files.
The skill intentionally persists user-provided profiling entries and command history. This is purpose-aligned, but users should avoid logging secrets, private URLs, tokens, or sensitive query data.
All data is stored locally in `~/.local/share/web-profiler-bundle/`. Each command maintains its own `.log` file ... A unified `history.log` tracks all operations
Use the tool only for data you are comfortable storing locally, and periodically delete or review `~/.local/share/web-profiler-bundle/` if the entries may contain sensitive details.
A user may not immediately know how the CLI is installed or verify its upstream source from the registry metadata alone.
The package provenance and installation path are not well described even though a runnable shell script is included. This is not evidence of malicious behavior, but it is a packaging transparency issue.
Source: unknown; Homepage: none; No install spec — this is an instruction-only skill; Code file presence: scripts/script.sh
Review the included script before use and prefer packages with clear source, homepage, and install metadata.
Users could overestimate the tool's capabilities if they expect automatic timing, memory, or query instrumentation.
The shown implementation records user-supplied text for commands such as `run`, rather than demonstrating actual HTTP request measurement. This may be a limited logger despite profiler-oriented wording.
echo "$ts|$input" >> "$DATA_DIR/run.log"
Treat this as a local profiling log/report helper unless separately verified to integrate with a real web profiler.