Back to skill
Skillv1.0.4
ClawScan security
Quicknote · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 16, 2026, 12:27 PM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is internally consistent with a local note-taking tool: it stores notes under ~/.local/share/quicknote, has no network calls, no unusual env/credentials, and no install step — it appears to do what it says.
- Guidance
- This skill appears to be a straightforward local note tool. Before installing, review the included script (scripts/script.sh) yourself — it will create and write files under ~/.local/share/quicknote and log actions to history.log. There are no network calls or credential requests in the visible code. Note the SKILL.md command list is shorter than the script's implemented commands — that's not inherently malicious but you may want to inspect the rest of the script (it was truncated in the package listing) to confirm there are no unexpected behaviors or external network accesses. If you want extra safety, run the script in a restricted/sandbox environment or inspect it line-by-line for any network or exec calls before using in a production account.
Review Dimensions
- Purpose & Capability
- okName, description, and included script all implement a local note-taking tool that writes log files under $HOME/.local/share/quicknote. The scope of requested resources (local files only) matches the stated purpose.
- Instruction Scope
- noteSKILL.md directs the agent to use quicknote commands; the provided script implements many note-related commands (add, search, export, status, etc.). There is a minor mismatch: SKILL.md's command list is shorter than the script's full command set (the script contains additional commands like plan, track, review, etc.), but all remain within note-taking/productivity functionality.
- Install Mechanism
- okNo install spec and no external downloads. The skill is instruction-plus-script only, so nothing is pulled from the network during install.
- Credentials
- okThe skill requires no environment variables or credentials. It writes to a per-user data directory under $HOME, which is appropriate for a local notes app.
- Persistence & Privilege
- okalways is false and the skill does not request elevated privileges or modify other skills or system-wide config. It only creates its own data under the user's home directory.