Funnel Analyzer
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent runs this script on malformed or malicious funnel data, the values may be interpreted as Bash arithmetic expressions instead of plain numbers, creating a local code-execution hardening risk or causing the script to fail.
Step counts come directly from user-provided input and are evaluated in Bash arithmetic without a numeric allowlist or zero-division checks.
local val="${pair##*:}" ... bar_width=$((val * max_width / first_val)) ... pct_step=$((val * 100 / prev_val))Validate all counts with a strict numeric pattern before arithmetic, reject zero divisors, and avoid running the script on untrusted pasted data until input validation is added.
Funnel metrics or other text passed to the helper commands may remain on disk in `history.log` or `data.log`.
The helper creates persistent local storage and records command arguments/data, while SKILL.md does not describe this retention.
DATA_DIR="${FUNNEL_ANALYZER_DIR:-${XDG_DATA_HOME:-$HOME/.local/share}/funnel-analyzer}" ... mkdir -p "$DATA_DIR" ... _log() { echo "$(date '+%m-%d %H:%M') $1: $2" >> "$DATA_DIR/history.log"; } ... cmd_add() { echo "$(date +%Y-%m-%d) $*" >> "$DB"; }Document the local data retention, avoid entering secrets or sensitive business data, and delete the funnel-analyzer data directory if the stored history is not wanted.
A user or agent may be unsure which local code is actually invoked by the documented command.
The package still includes executable scripts and SKILL.md examples for a `funnel-analyzer` command, so the reviewed artifacts do not clearly declare how that command is installed or which script is the intended entry point.
No install spec — this is an instruction-only skill.
Add an explicit install/entry-point declaration, declare the Bash requirement, and make SKILL.md examples match the reviewed script path or command.