Milestone
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anything the agent or user records as a milestone entry may remain on disk and could reappear in later outputs; secrets or prompt-like instructions stored there should be treated as untrusted data.
The script persists user-supplied command input and activity history in local log files, which can later be reviewed, searched, or exported.
DATA_DIR="${HOME}/.local/share/milestone" ... echo "$ts|$input" >> "$DATA_DIR/run.log" ... _log "run" "$input"Use the skill for non-sensitive local notes, avoid entering passwords or API keys, periodically review or clear ~/.local/share/milestone, and treat retrieved log contents as data rather than instructions.