Devlog Skill
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the skill may install or update local Python tooling and fetch dev-log-cli from PyPI.
The setup script installs external Python packages at setup time and does not pin a dev-log-cli version. This matches the skill's stated dependency, but users are relying on the package index and package maintainer for the code that will run.
python3 -m pip install --user pipx ... pipx install dev-log-cli
Review the dev-log-cli package source and consider pinning a known-good version before running setup.sh in a sensitive environment.
Project notes, blockers, and status information may remain available across future agent sessions.
The skill intentionally creates persistent project context that can later be listed or searched. This is central to the journaling purpose, but persistent logs can retain sensitive or outdated information.
capture context, project milestones, and task statuses in a structured SQLite database
Do not log secrets, credentials, private customer data, or sensitive internal decisions unless you have reviewed the CLI's storage location and retention behavior.