Transform Tool
PassAudited by ClawScan on May 5, 2026.
Overview
This appears to be a local data transformation utility, with some documentation/setup inconsistencies but no evidence of credential access, exfiltration, persistence, or unsafe autonomy.
This skill looks safe for local file or stdin/stdout transformations, but its documentation does not match the included script and the CLI installation path is unclear. Review the script usage before installing or invoking it on important files.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent or user may try the wrong command options or misunderstand what the tool actually does.
The actual script requires format-conversion flags, while SKILL.md documents different options such as --upper, --lower, --trim, and --reverse. This is a documentation mismatch, not evidence of malicious behavior.
parser.add_argument('--from', '-f', dest='from_format', required=True, ...); parser.add_argument('--to', '-t', dest='to_format', required=True, ...)Verify the script's real command-line interface before relying on the SKILL.md examples, or ask the publisher to align the documentation and implementation.
The skill may not run as documented unless a separate wrapper or manual invocation is provided.
The skill references a transform-tool CLI, but the supplied install information says there is no install spec and the manifest only shows scripts/transform.py. This leaves the command wrapper or invocation path unclear.
transform-tool [options] <file>
Use the included script directly only after reviewing it, or confirm how the transform-tool command is installed or mapped.