Which Tool
PassAudited by ClawScan on May 12, 2026.
Overview
This skill only looks up executable paths and does not access credentials or run commands, though its documentation advertises options the included script does not implement.
This appears safe to use for basic command-path lookup. Be aware that the documented flags and multi-command examples may not work with the included script, so verify behavior before relying on it in automation.
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user or agent may try documented flags such as --json or -a and get failures or incorrect automation assumptions.
The documentation advertises options and multi-command behavior, while the included scripts/which.py only parses one positional argument and calls shutil.which(args.cmd). This is a low-impact reliability/documentation mismatch rather than evidence of malicious behavior.
Options: -a, --all Show all matching paths, not just the first -s, --silent Exit silently ... --json Output as JSON array
Treat this as a simple single-command path lookup unless the implementation is updated to match the documented options.