ClawHub
Back to skill
v1.0.0

Popover

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 7:54 AM.

Analysis

The skill does not appear to steal data, but its included script is a generic local entry tracker rather than a popover UI generator.

GuidanceReview carefully before installing because the implementation does not match the advertised popover UI-generation purpose. If you still use it, treat it as a local note/entry tracker and avoid storing sensitive information.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Human-Agent Trust Exploitation
SeverityMediumConfidenceHighStatusConcern
scripts/script.sh
# popover -- Generate popover UI elements and design assets... cmd_add() { ... _save_entry "add" "$value $*" ... } ... cmd_export() { ... cp "$DATA_DIR/data.jsonl" "$out" ;; }

The script claims the same UI-generation purpose as the skill, but its implemented behavior is only saving and exporting generic entries from a local JSONL file.

User impactA user or agent expecting UI component generation may rely on a skill that does not actually perform the advertised function.
RecommendationTreat this as a review item before installing; use it only if you want a local entry-tracking script, or ask the publisher to align the description and implementation.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning
SeverityLowConfidenceHighStatusNote
scripts/script.sh
DATA_DIR="${POPOVER_DIR:-$HOME/.popover}" ... printf '{"ts":"%s","cmd":"%s","val":"%s"}\n' "$ts" "$cmd" "$val" >> "$DATA_DIR/data.jsonl"

User-provided entries are persisted locally and can later be listed, searched, or exported.

User impactAnything entered into the tool can remain on disk across sessions and may be shown or exported later.
RecommendationDo not store secrets or sensitive content in entries; set POPOVER_DIR to a scoped location or delete ~/.popover when no longer needed.