Little Steve Content Inbox
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This appears to be a purpose-aligned local inbox skill that runs shell scripts and stores saved content locally, with no artifact-backed evidence of exfiltration, deception, or destructive behavior.
Before installing, confirm you are comfortable with a local shell-script inbox that stores saved notes, links, and media paths in JSON files. Install jq from a trusted source, review or clear the bundled inbox data, and avoid saving secrets or sensitive file paths.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill may not work until jq is installed, and jq should be installed from a trusted package source.
The skill depends on jq for its local JSON operations. This dependency is disclosed in the skill file, but users should be aware of it because the registry summary lists no required binaries.
requires:
bins:
- jqInstall jq only through a trusted package manager or system source, and treat this as a disclosed dependency rather than hidden behavior.
Using the skill runs local shell scripts to add, list, view, update, or delete inbox entries.
The skill's documented workflow runs included local bash scripts. This is central to the inbox purpose and the visible scripts operate on local data files, but it is still code execution users should notice.
bash {baseDir}/scripts/inbox.sh add --type link --title "Article title" --url "https://example.com/article"Use the skill only if you are comfortable running the included scripts, and keep actions tied to explicit inbox-management requests.
Notes, links, and local image paths that you save may remain on disk and be shown later through list or detail views.
The script uses a persistent JSON file as its inbox database and stores saved titles, content, URLs, media paths, statuses, timestamps, and tags there. This matches the stated archive purpose, but saved content can persist across sessions.
DB="$BASE_DIR/data/items.json"
Do not archive secrets or sensitive local file paths unless you are comfortable storing them in the skill data file; delete unwanted entries and review bundled items before relying on the inbox.
A new user may see bundled/example content and could mistake it for their own saved inbox items.
The packaged inbox data is not empty; it includes pre-existing links and notes. These may appear in the inbox unless the user clears them.
"items": [
{
"id": 7,
"type": "link",
"title": "x.com/nftcps"Review data/items.json after installation and clear any preloaded entries you do not want.