Which Tool
AdvisoryAudited by Static analysis on May 12, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user or agent may try documented flags such as --json or -a and get failures or incorrect automation assumptions.
The documentation advertises options and multi-command behavior, while the included scripts/which.py only parses one positional argument and calls shutil.which(args.cmd). This is a low-impact reliability/documentation mismatch rather than evidence of malicious behavior.
Options: -a, --all Show all matching paths, not just the first -s, --silent Exit silently ... --json Output as JSON array
Treat this as a simple single-command path lookup unless the implementation is updated to match the documented options.