DevLog Agent Skill
PassAudited by ClawScan on May 1, 2026.
Overview
The skill matches its stated developer-journaling purpose, but it can install an external Python CLI and keep persistent project notes that users should review.
Before installing, confirm you trust the dev-log-cli package and are comfortable with a local persistent developer journal. Do not record secrets in the log, and review entries periodically because agents may use them as project context later.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the setup script is run, code from Python package repositories will be installed under the user's account.
The setup script installs pipx and dev-log-cli from Python package sources without version pins. This is disclosed and central to the skill, but users are trusting external package supply chain content.
python3 -m pip install --user pipx ... pipx install dev-log-cli
Install only if you trust the dev-log-cli package source; prefer pinned versions or review the linked project/package before running setup.
Project notes may contain sensitive, stale, or incorrect information that future agent sessions could reuse.
The skill intentionally stores developer context persistently and later supports listing and searching it, which can affect future agent context.
capture context, project milestones, and task statuses in a structured SQLite database
Avoid logging secrets or highly sensitive details, and periodically review or edit stored entries for accuracy.