Whoami Tool
ReviewAudited by ClawScan on May 13, 2026.
Overview
The skill is very small and does not show data theft or persistence, but its implementation contradicts its access-control claims and could make scripts trust a false identity check.
This skill appears low-risk for privacy, but do not rely on it for access control, root checks, UID/GID checks, or group membership checks in its current form. Its advertised behavior and implementation do not match.
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user or agent could rely on this tool for access-control or privilege decisions and get a false successful result, causing scripts to take the wrong branch.
The documentation presents the tool as suitable for identity and privilege checks, including '--check root', but the included scripts/whoami.py implementation only runs `print(os.environ.get('USER', 'unknown'))` and performs no argument parsing or non-match exit behavior.
--check USER Exit 0 if current user matches, 1 if not
Do not use this skill for security or privilege checks unless the implementation is corrected to use the effective UID, validate arguments, and return accurate exit codes for failed checks.