Sha256 Tool
PassAudited by ClawScan on May 10, 2026.
Overview
This appears to be a simple local SHA-256 hashing skill, with minor documentation and install mismatches but no evidence of credential use, network exfiltration, persistence, or destructive behavior.
This skill looks safe for local checksum use, but you should provide an explicit filename and be aware that the documented stdin example does not match the included script. Verify how the sha256-tool command is installed or run the Python script directly.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked without an explicit file, the tool may read a local file named a.txt instead of hashing piped text.
The script reads a provided file path, or a default local file named a.txt if no argument is given. This is purpose-aligned for file hashing, but differs from the documented stdin example and could hash an unexpected local file.
h.update(open(sys.argv[1] if len(sys.argv) > 1 else "a.txt", "rb").read())
Use an explicit file path when invoking the tool, and consider updating the script to support stdin or fail safely when no input is provided.
The skill may not run as documented unless the environment already provides a matching command or wrapper.
The documentation references a sha256-tool command, but no install specification explains how that command is created from the included script.
No install spec — this is an instruction-only skill.
Verify the actual installed command or invoke the included Python script directly if appropriate.