ClawHub
Back to skill
v1.0.0

Paste Tool

BenignClawScan verdict for this skill. Analyzed Apr 30, 2026, 6:21 PM.

Analysis

This appears to be a small local file-merging utility with no credentials, network use, or install script, but its documented options do not match the provided code and its source provenance is minimal.

GuidanceThis skill looks safe for simple local file merging. Before installing, be aware that it can read and display any files passed to it, its source is not documented, and the advertised -d and -s options are not implemented in the provided script.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityLowConfidenceHighStatusNote
scripts/paste.py
files = [open(f).readlines() for f in sys.argv[1:]] if sys.argv[1:] else [sys.stdin.readlines()]

The script reads every command-line path provided, or stdin if no paths are provided. This is purpose-aligned for a file-merging utility, but users should understand that any file path passed to it will be read and printed into the agent's output.

User impactIf the agent or user passes an unintended sensitive file, its contents may be displayed in the merged output.
RecommendationUse it only with files you intend to combine and disclose in the current conversation or workflow.
Agentic Supply Chain Vulnerabilities
SeverityInfoConfidenceHighStatusNote
metadata
Source: unknown; Homepage: none

The skill has minimal provenance information. There is no install spec or external dependency shown, which limits supply-chain exposure, but the origin is not independently documented in the provided metadata.

User impactYou have limited information about who maintains the skill or where the code originated.
RecommendationReview the included source before use and prefer a known source if provenance is important for your environment.
Human-Agent Trust Exploitation
SeverityInfoConfidenceHighStatusNote
scripts/paste.py
print('\t'.join(row))

The implementation hardcodes tab-delimited parallel output and contains no handling for the -d custom delimiter or -s serial mode documented in SKILL.md. This is a functionality/trust mismatch rather than evidence of malicious behavior.

User impactUsers or agents may expect custom delimiters or serial merging to work, but the provided code will not implement those options and may produce unexpected results or errors.
RecommendationTreat the documented -d and -s options as unsupported unless the implementation is updated.