Devlog Skill
PassAudited by ClawScan on May 1, 2026.
Overview
This journaling skill appears purpose-aligned, but it installs an external Python CLI and keeps persistent project logs that users should avoid filling with secrets.
This skill looks consistent with its purpose. Before installing, decide whether you are comfortable running a setup script that installs dev-log-cli from PyPI via pipx, and treat the devlog as persistent memory: use it for project progress and blockers, but avoid adding credentials, secrets, or sensitive private data.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the skill may install or update local Python tooling and fetch dev-log-cli from PyPI.
The setup script installs external Python packages at setup time and does not pin a dev-log-cli version. This matches the skill's stated dependency, but users are relying on the package index and package maintainer for the code that will run.
python3 -m pip install --user pipx ... pipx install dev-log-cli
Review the dev-log-cli package source and consider pinning a known-good version before running setup.sh in a sensitive environment.
Project notes, blockers, and status information may remain available across future agent sessions.
The skill intentionally creates persistent project context that can later be listed or searched. This is central to the journaling purpose, but persistent logs can retain sensitive or outdated information.
capture context, project milestones, and task statuses in a structured SQLite database
Do not log secrets, credentials, private customer data, or sensitive internal decisions unless you have reviewed the CLI's storage location and retention behavior.