Sightglass
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the skill delegates substantial behavior to an external package that could change over time or be compromised.
Setup installs an unpinned global npm package that is not included in the reviewed artifacts, and the other scripts later execute the resulting sightglass command.
npm i -g @sightglass/cli
Pin the npm package version, publish an install spec, provide provenance or checksums, and review the CLI before allowing it to monitor projects.
The watcher may continue monitoring the project after the immediate agent session setup has completed.
The hook starts the watcher as a background process and disowns it, which lets it continue running independently of the hook command.
sightglass watch --project "$PROJECT_DIR" & disown
Require explicit opt-in for background monitoring, document how to stop it, and consider stopping the watcher in the post-session hook unless the user chooses persistent monitoring.
Project activity, dependency decisions, and tool-call details could be uploaded to sightglass.dev when cloud features are enabled.
The documented data flow includes potentially sensitive project and tool-call telemetry being sent to a third-party cloud service, without clear artifact-level limits on what is collected, redacted, retained, or auto-pushed.
Starts the background watcher that monitors agent sessions — file changes, package installs, tool calls. ... All data syncs to [sightglass.dev](https://sightglass.dev) when authenticated.
Use cloud sync only if needed, disable auto-push unless explicitly desired, and require documentation for collected fields, redaction, retention, and deletion controls.
Using login connects the local watcher/analyzer to a Sightglass cloud account and may enable history or sync features.
The skill asks the user to authenticate with the provider for cloud features; this is purpose-aligned but grants the CLI account-level access for that service.
sightglass login Authenticate with [sightglass.dev](https://sightglass.dev) to enable cloud analysis and history.
Only authenticate if you want cloud analysis, and verify where credentials are stored and how to revoke them.