ContextKeeper
ReviewAudited by ClawScan on May 10, 2026.
Overview
ContextKeeper is a local checkpointing helper, but its scripts contradict some safety claims and contain unvalidated local state/path handling that could write outside the intended folder or run injected Python from a poisoned checkpoint file.
Install only if you are comfortable with a local shell-based checkpoint tool that writes persistent project metadata under ~/.memory/contextkeeper. Before using it, the maintainer should add project-ID path validation, safely parse checkpoint timestamps, and update the metadata/security claims to match the actual script dependencies and command execution.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken or malicious project override could make the helper write files in unintended locations under the user's home directory.
The optional project ID argument is used directly in a filesystem path without validation. A value containing path traversal such as ../ can cause the script to create directories and write latest.json outside the intended ContextKeeper projects directory.
PROJECT_OVERRIDE="${2:-}" ... PROJECT_ID="$PROJECT_OVERRIDE" ... mkdir -p "$PROJECTS_DIR/$PROJECT_ID" ... cat > "$PROJECTS_DIR/$PROJECT_ID/latest.json"Validate project IDs with a strict allowlist such as P followed by digits or alphanumeric/underscore/hyphen only, reject slashes and dot-dot segments, and verify the resolved path remains under $HOME/.memory/contextkeeper/projects.
If local checkpoint state is tampered with or generated unsafely, opening the dashboard could run commands with the user's privileges.
A timestamp read from a persistent checkpoint file is inserted directly into a Python command string. If the checkpoint file is poisoned with a single quote and Python statements, dashboard.sh could execute unintended Python code.
TIMESTAMP=$(grep '"timestamp"' "$CURRENT" ...)
REL_TIME=$(python3 -c "
from datetime import datetime
try:
ts = '${TIMESTAMP}'.replace('Z', '+00:00')Do not interpolate file content into python3 -c. Pass the timestamp via an environment variable or argv, validate it as an ISO timestamp before use, or compute relative time purely in shell with safe parsing.
Project names, paths, branch names, recent commit summaries, and touched file names may remain on disk and influence later dashboard/context behavior.
The skill persistently stores project state and git-derived metadata in local memory files for reuse across sessions. This is aligned with the stated purpose, but users should understand what is retained.
CKPT_DIR="$HOME/.memory/contextkeeper" ... "git_branch": "$SAFE_BRANCH", "recent_commits": "$SAFE_RECENT_COMMITS", "files_touched": [$FILES_JSON] ... "git_dir": "$GIT_DIR"
Document retention and cleanup clearly, avoid storing more project metadata than needed, and treat checkpoint files as untrusted input when reading them later.
Users may believe the skill has stronger input validation and less command execution than the included scripts actually provide.
The safety description overstates the implementation: included shell scripts do execute local commands, and ckpt.sh uses the project override in paths without validation while dashboard.sh interpolates checkpoint data into Python.
Manual checkpoint creation with validated inputs. No background processes, no PID manipulation, no command execution. ... | Injection attacks | Input validated and escaped |
Revise the claims to accurately describe local command use, specify exactly which inputs are validated, and fix the validation/escaping gaps before advertising the skill as safe from injection.
The skill may fail or behave differently on systems that do not have these tools, despite metadata suggesting no binary requirements.
The registry-style metadata declares no required binaries, while the user-facing requirements and scripts depend on bash and git, with dashboard.sh optionally using python3.
requires: bins: [] install: [] ... ## Requirements - bash - git (for project detection)
Declare bash and git in the skill metadata, mention optional python3 use, or remove the dependency from the script.