Back to skill
Skillv1.0.0
ClawScan security
DevLog Agent Skill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 11, 2026, 9:00 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requirements, instructions, and included setup script are coherent with a journaling/dev-log CLI integration; nothing in the package contradicts that purpose though you should still review the third‑party CLI and where it stores logs.
- Guidance
- This skill appears to do what it says: it integrates an external CLI (dev-log-cli) for agent journaling and includes a small setup script to install pipx and the CLI. Before installing/running it: (1) review the dev-log-cli project on GitHub/PyPI (linked in SKILL.md) to ensure its behavior is acceptable; (2) confirm where the CLI stores its SQLite database and whether logs might contain sensitive secrets you don't want persisted; (3) be aware the setup script will install pipx into your user environment and may update shell startup files via 'pipx ensurepath'; and (4) if you need stronger assurance, run the install step in an isolated environment (container/VM) and audit the installed package source first.
Review Dimensions
- Purpose & Capability
- okThe SKILL.md describes a developer journaling/logging skill and the only runtime dependency is a CLI called dev-log-cli installed via pipx. Requiring/attempting to install that CLI is appropriate for the stated purpose. No unrelated credentials, binaries, or config paths are requested.
- Instruction Scope
- noteThe runtime instructions restrict the agent to using the devlog CLI (add/list/stats/search/view/edit). The included setup.sh only ensures pipx and dev-log-cli exist. However, the skill will cause the agent to create and persist logs in a SQLite DB (per SKILL.md). That means logs could contain sensitive project data or secrets; you should confirm where the CLI stores its DB and its retention/permissions before using it in sensitive contexts.
- Install Mechanism
- oksetup.sh uses standard Python tooling: 'python3 -m pip install --user pipx', 'pipx ensurepath', and 'pipx install dev-log-cli'. This installs the package from PyPI via pipx rather than downloading from an arbitrary URL. It's a common, low-friction install path but still depends on a third-party PyPI package, so audit the upstream package if you need high assurance.
- Credentials
- okThe skill requests no environment variables, no credentials, and no config paths. The setup script modifies PATH in-process and calls 'pipx ensurepath' (which may update shell startup files) — this is reasonable for making a user-local CLI available but is worth noting.
- Persistence & Privilege
- okThe skill is not force-included (always: false) and does not request persistent elevated privileges or modify other skills. It does cause installation of a CLI which will persist on disk via pipx; that is expected for a CLI-integrating skill.