Back to skill
Skillv0.2.3
ClawScan security
ContextKeeper · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousFeb 19, 2026, 3:59 AM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's code mostly matches a local checkpointing purpose (writes JSON checkpoints under ~/.memory, uses git) and requests no credentials or network access, but there are internal inconsistencies in the metadata/README about 'no command execution' and required binaries which warrant caution.
- Guidance
- This skill appears to be a local checkpoint/dashboard tool that writes JSON checkpoint files to ~/.memory/contextkeeper and reads local git metadata. No network calls or credentials are requested, which is good. However, the README/metadata contains contradictory claims (e.g., 'No command execution' and 'requires: none') while the packaged scripts clearly run shell commands and require git/bash. Before installing or invoking: 1) Review and accept that the skill will create and write files under $HOME/.memory/contextkeeper. 2) Confirm you’re comfortable with local git metadata (file names, recent commits) being stored there. 3) If you need stronger guarantees, run the scripts in a sandboxed environment or inspect them line-by-line (they are simple shell scripts) and consider adjusting them to your policies. The mismatch between documentation claims and included scripts is the main reason for a 'suspicious' rating — likely sloppy documentation, but verify before trusting the skill for sensitive environments.
Review Dimensions
- Purpose & Capability
- noteName and description describe a local project checkpoint/dashboard tool. The provided scripts (ckpt.sh, dashboard.sh) implement that behavior: auto-detect git repo, create JSON checkpoints, show status. This capability is coherent with the stated purpose. However, metadata in SKILL.md declares no required binaries while the usage and Requirements section mention bash and git — an inconsistency that should be clarified.
- Instruction Scope
- concernSKILL.md and the security table repeatedly state 'No command execution' and similar assurances, but the package includes shell scripts that run git, ln, grep, sed, and optionally python3. The scripts accept a user message and write files under $HOME/.memory/contextkeeper. The scripts include a json_escape function to mitigate injection, but the documentation's claim of 'no command execution' contradicts the presence and intended execution of these scripts.
- Install Mechanism
- okNo install spec and no downloads — instruction-only with bundled scripts. This minimizes install risk. Files are executed from repository files; nothing is fetched from external URLs.
- Credentials
- okNo environment variables or credentials are requested. Scripts write to $HOME/.memory/contextkeeper and run git locally. That is proportionate for a local project-state tool. There is no network activity or external endpoints in the provided code.
- Persistence & Privilege
- okalways:false and model invocation defaults are unchanged. The skill writes persistent state under the user's home directory (~/.memory/contextkeeper) and creates a symlink current-state.json — this is expected for a checkpoint tool and does not modify other skills or system-wide settings.