API Changelog Generator
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent runs this command on a maliciously named or untrusted spec file path, it could execute unintended local code rather than only reading the API spec.
The command places user-provided file path strings directly inside executable Python source. A crafted path containing a quote and Python syntax could break out of the string and execute arbitrary Python under the user’s account.
OLD_SPEC="${1:?Usage: diff <old-spec> <new-spec>}" ... python3 -c " ... old = load_spec('$OLD_SPEC') ... new = load_spec('$NEW_SPEC') ... " 2>/dev/nullRewrite the command to pass paths through argv, for example `python3 - "$OLD_SPEC" "$NEW_SPEC" <<'PY'` and read `sys.argv`, or otherwise safely quote/escape paths before execution. Avoid running it on untrusted filenames until fixed.
The command may fail or behave differently depending on the user’s local Python environment and installed packages.
The instruction-only skill relies on local Python and optionally PyYAML, while the registry metadata declares no required binaries or install spec. This appears purpose-aligned, but users may not realize the runtime dependency is external to the reviewed package.
python3 -c " ... import yaml ... except ImportError: print(f'Warning: PyYAML not installed, trying JSON parse') ... "
Document python3 and optional PyYAML requirements in metadata or provide a safer, reviewed helper script with pinned dependencies.