Alumni Career Tracker
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked carelessly, the agent could run local commands or write files while preparing alumni analyses.
The skill gives the agent local read/write/edit and shell-command capability. That is consistent with running the included Python analytics script and writing reports, but it is still broad local authority.
allowed-tools: [Read, Write, Bash, Edit]
Use the skill only for intended local analytics tasks, review Bash commands and output paths, and avoid granting it access to unrelated directories.
Dependency behavior could vary across installations, and unpinned packages have weaker reproducibility and supply-chain control.
The Python dependencies are listed without pinned versions, so a manual install would resolve whatever package versions are current at install time.
dataclasses pandas rich
If installing dependencies, pin trusted package versions and use a trusted package index or environment lockfile.
Alumni names, career details, salary ranges, and notes may remain on disk and be visible to anyone with access to that project or skill directory.
The code stores alumni records, including potentially sensitive salary and notes fields, in a persistent local JSON file.
salary_range: str = "" ... notes: str = "" ... data_path = skill_dir / "alumni_data.json" ... json.dump([r.to_dict() for r in self.alumni], f, ensure_ascii=False, indent=2)
Collect only necessary data, obtain appropriate consent, restrict file permissions, anonymize reports where possible, and avoid storing sensitive salary or personal notes unless needed.