Skillv2.0.2

ClawScan security

Ai Code Helper · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 18, 2026, 10:34 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code and instructions are coherent with its stated purpose (a local, file-based developer logging/toolkit) and request no extra credentials or network access, but it persistently stores user-provided content locally so users should be aware of privacy risks.
Guidance: This skill appears to do what it says: a local CLI logger for code review/generation/linting activity. Before installing/using it, review the bundled script (already included) and be mindful that any text you pass (including full code snippets, configuration, or secrets such as API keys) will be written in cleartext to ~/.local/share/ai-code-helper/*.log and history.log. If you plan to log sensitive content, consider: (1) not logging secrets or truncating/redacting them before saving, (2) setting restrictive file permissions on the data directory, (3) adding the data directory to backups/retention policies or .gitignore as appropriate, and (4) periodically deleting or encrypting logs. The minor version/name mismatches are cosmetic but you can verify the latest script in the upstream repo if desired.

Review Dimensions

Purpose & Capability: okName/description (Ai Code Helper / code review, generate, lint, format, etc.) align with the provided script and SKILL.md: the tool is a local CLI that logs operations and provides simple export/search/stats functionality. Minor cosmetic inconsistencies (SKILL.md header uses 'Claude Code' and script reports v2.0.0 while registry shows v2.0.2) are present but do not alter capability.
Instruction Scope: noteSKILL.md instructions and the script implement only local operations (writing/reading plain-text logs under ~/.local/share/ai-code-helper, searching with grep, exporting files). This matches the declared scope. Important note: the tool persistently records any user-provided input (including code snippets, config, or secrets) to plain-text logs and history, which is a privacy/data-leakage risk if users store sensitive material.
Install Mechanism: okNo install spec is provided (instruction-only with a bundled script); nothing is downloaded or written outside the user's data directory. No external package installs or remote fetches are present in the included script.
Credentials: okThe skill declares no required environment variables, credentials, or config paths and the script only uses HOME to construct a per-user data directory. No unrelated credentials or network endpoints are requested.
Persistence & Privilege: noteThe skill runs as a normal CLI and stores persistent data in the user's home (~/.local/share/ai-code-helper). always:false and default autonomous invocation are set. The persistent logging behavior is expected for a historical/logging tool, but users should be aware it will retain any input indefinitely unless they delete or rotate files.