ClawHub
Back to skill
v1.0.0

Plc

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 7:49 AM.

Analysis

This appears to be a simple local note-style CLI rather than a real PLC controller interface; it runs a local script and stores user-added entries under ~/.plc.

GuidanceThis skill looks safe for basic local note-style use, but it is not a PLC programming or safety tool. Before installing, be comfortable with a bash script creating ~/.plc, storing entries there, and exporting files in your working directory; avoid saving secrets or sensitive control-system information.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Unexpected Code Execution
SeverityLowConfidenceHighStatusNote
SKILL.md
```bash
scripts/script.sh status
```

Using the skill involves running the included bash script. This local command execution is clearly documented and central to the skill's CLI behavior.

User impactThe skill can run local shell commands that create, read, update, and export its own data files.
RecommendationRun it only as your normal user, avoid elevated privileges, and review the script before use if you are concerned about local file changes.
Human-Agent Trust Exploitation
SeverityInfoConfidenceHighStatusNote
SKILL.md
description: "Programmable logic controller programming helper"
...
Commands:
  status
  add
  list
  search
  remove
  export
  stats
  config

The advertised PLC-helper purpose is more specific than the implemented generic entry-management commands.

User impactUsers should not assume this skill validates PLC programs, connects to controllers, or provides industrial safety checks.
RecommendationTreat it as a simple local entry/log manager unless additional PLC-specific functionality is provided and reviewed.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning
SeverityLowConfidenceHighStatusNote
scripts/script.sh
DATA_DIR="${PLC_DIR:-$HOME/.plc}"
...
printf '{"ts":"%s","cmd":"%s","val":"%s"}\\n' "$ts" "$cmd" "$val" >> "$DATA_DIR/data.jsonl"

The script persists arbitrary user-provided entries in a local JSONL file, which can later be listed, searched, or exported.

User impactAny sensitive PLC notes, configuration details, or instruction-like text added to the tool will remain on disk and may be shown back to the agent later.
RecommendationDo not store secrets or sensitive industrial control details unless local persistence is intended; treat listed or exported entries as user data, not trusted instructions.