Back to skill
Skillv2.0.1
ClawScan security
Dailylog · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 18, 2026, 10:40 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is a local, bash-based journaling tool that stores plaintext logs under ~/.local/share/dailylog and its code and instructions are consistent with that purpose.
- Guidance
- This skill is a straightforward local journaling tool implemented as a bash script. Before installing: review the script (it will create and append plaintext files under ~/.local/share/dailylog), ensure you are comfortable with logs being stored unencrypted on disk, and consider setting file permissions or storing sensitive notes elsewhere. Note the small mismatches in metadata (registry says no required binaries but the script requires Bash; SKILL.md vs history.log timestamp format). If you want extra safety, run the script in a sandbox or inspect/run it locally rather than granting it autonomous access in a high-privilege agent.
Review Dimensions
- Purpose & Capability
- noteThe skill's name/description match the actual behavior: a local journaling/streak tracker. Minor metadata inconsistency: registry metadata lists no required binaries while SKILL.md and the shipped script require Bash (the implementation is a bash script). This is an omission in the declared requirements, not evidence of malicious behavior.
- Instruction Scope
- noteRuntime instructions and the script operate only on local files under the user's home dir and standard unix utilities (date, grep, wc, du, head, tail). They do not perform network calls or access unrelated system paths. A small inconsistency: SKILL.md claims entries are timestamped in 'YYYY-MM-DD HH:MM|value' (which the per-command logs use), but the _log function writes history.log using a different 'MM-DD HH:MM <category>: <value>' format — a minor documentation/format mismatch.
- Install Mechanism
- okNo install spec and no network downloads — the skill is instruction-only with one included bash script. No extraneous packages or remote installers are used.
- Credentials
- okNo credentials or special environment variables are requested. The script uses HOME (standard) and common Unix utilities; nothing asks for unrelated secrets or external service keys.
- Persistence & Privilege
- okalways:false and no modifications to other skills or global agent settings. The tool persists only its own files under ~/.local/share/dailylog.