Bookworm
PassAudited by ClawScan on May 1, 2026.
Overview
Bookworm appears to be a local-only logging tool; the main considerations are plain-text persistent personal logs and an under-specified CLI install path.
This looks safe for ordinary local reading or productivity logs. Before installing, verify what `bookworm` points to because no install spec is provided, and remember that entries are stored as local plain-text files rather than encrypted or private vault data.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
You may need to manually confirm what command will run before using the documented `bookworm` examples.
The artifacts also ship `scripts/script.sh` and document a `bookworm` CLI, so the installer/command mapping is under-specified. This is not evidence of malicious behavior, but users should verify the local setup path.
No install spec — this is an instruction-only skill.
Install or invoke only the reviewed local script, and avoid ad-hoc shell aliases or wrappers from unverified sources.
Anything you log may remain on disk and be visible to anyone or any process with access to your local user files.
The skill keeps persistent plain-text logs and exports of user-entered content. That is purpose-aligned for a logging tool, but the entries may contain personal reading habits, plans, reminders, or notes.
All data is stored in `~/.local/share/bookworm/` ... `history.log` ... `export.json` / `export.csv` / `export.txt`
Avoid logging secrets or highly sensitive personal information, and periodically review or delete `~/.local/share/bookworm/` if you no longer need the records.