Bookworm
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: bookworm Version: 2.0.1 The 'bookworm' skill is a straightforward Bash-based productivity tool for logging reading habits and tasks. It operates entirely locally, storing data in plain-text files within the user's home directory (~/.local/share/bookworm/). Analysis of 'scripts/script.sh' and 'SKILL.md' reveals no network activity, data exfiltration, persistence mechanisms, or malicious execution patterns. While the script lacks advanced input sanitization (e.g., in the JSON export function), these are minor functional bugs rather than intentional security flaws.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
You may need to manually confirm what command will run before using the documented `bookworm` examples.
The artifacts also ship `scripts/script.sh` and document a `bookworm` CLI, so the installer/command mapping is under-specified. This is not evidence of malicious behavior, but users should verify the local setup path.
No install spec — this is an instruction-only skill.
Install or invoke only the reviewed local script, and avoid ad-hoc shell aliases or wrappers from unverified sources.
Anything you log may remain on disk and be visible to anyone or any process with access to your local user files.
The skill keeps persistent plain-text logs and exports of user-entered content. That is purpose-aligned for a logging tool, but the entries may contain personal reading habits, plans, reminders, or notes.
All data is stored in `~/.local/share/bookworm/` ... `history.log` ... `export.json` / `export.csv` / `export.txt`
Avoid logging secrets or highly sensitive personal information, and periodically review or delete `~/.local/share/bookworm/` if you no longer need the records.