Devlog Skill
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: Developer: Version: Description: OpenClaw Agent Skill The skill bundle is benign. The `SKILL.md` file describes a journaling tool and its usage without any prompt injection attempts. The `setup.sh` script responsibly installs the `dev-log-cli` dependency using `pipx`, ensuring it's available for the agent. This involves standard package installation steps from PyPI and PATH modification, which are directly aligned with the stated purpose and do not exhibit any malicious intent, data exfiltration, or unauthorized actions.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the skill may install or update local Python tooling and fetch dev-log-cli from PyPI.
The setup script installs external Python packages at setup time and does not pin a dev-log-cli version. This matches the skill's stated dependency, but users are relying on the package index and package maintainer for the code that will run.
python3 -m pip install --user pipx ... pipx install dev-log-cli
Review the dev-log-cli package source and consider pinning a known-good version before running setup.sh in a sensitive environment.
Project notes, blockers, and status information may remain available across future agent sessions.
The skill intentionally creates persistent project context that can later be listed or searched. This is central to the journaling purpose, but persistent logs can retain sensitive or outdated information.
capture context, project milestones, and task statuses in a structured SQLite database
Do not log secrets, credentials, private customer data, or sensitive internal decisions unless you have reviewed the CLI's storage location and retention behavior.