ClawHub
Back to skill
v1.0.0

Printf Tool

BenignClawScan verdict for this skill. Analyzed Apr 30, 2026, 10:11 PM.

Analysis

This skill appears benign: it is a small local formatting utility, with minor caveats about unknown provenance and unbounded format strings.

GuidanceThis skill is low risk for its stated purpose. Before installing, note that its provenance is not identified and avoid using untrusted or extremely large format strings in automated contexts.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityLowConfidenceHighStatusNote
scripts/printf.py
print(sys.argv[1] % tuple(sys.argv[2:]), end='')

The first command-line argument is used directly as the format string and the rest are interpolated into it. That is the skill's intended purpose, but the artifacts do not define limits on output size, width, or precision.

User impactA malformed or extremely large format string could cause an error or excessive output, but the tool does not show file, network, or account mutation behavior.
RecommendationUse ordinary, bounded format strings; add validation or output-size limits if this tool is used in automated workflows.
Agentic Supply Chain Vulnerabilities
SeverityInfoConfidenceHighStatusNote
metadata
Source: unknown
Homepage: none

The registry information does not identify an upstream source or homepage. The included code is small and no external install source is used, so this is a provenance note rather than a material concern.

User impactUsers have limited provenance information for the skill, although the supplied artifacts are minimal and visible.
RecommendationReview the included script before use if provenance matters, and prefer a skill release with a verifiable source repository.