entr
PassAudited by ClawScan on May 1, 2026.
Overview
This instruction-only skill clearly documents a file-watching command runner, but users should be careful because it can run arbitrary local commands repeatedly or in the background.
This skill appears coherent and benign for using entr, but only run watch commands you would be comfortable running manually. Be especially careful with '-s' shell evaluation, destructive commands, and background watchers that continue running until stopped.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A command may run repeatedly whenever watched files change, so a risky command could repeatedly modify files or affect the local environment.
The skill's main function is to execute user-chosen local commands in response to file changes. This is expected for entr, but it is broad authority if used with destructive or untrusted commands.
`entr` takes a list of filenames from standard input and executes the utility specified as the first argument.
Use explicit, safe commands for watch mode, avoid destructive commands unless intentionally requested, and review shell-evaluated commands before running them.
If untrusted or poorly quoted text is used with '-s', the shell may interpret it in unintended ways.
The documented '-s' option invokes shell interpretation. This is a normal entr feature, but shell evaluation is more sensitive than passing a fixed executable and arguments.
`-s`: Evaluate the first argument using the interpreter specified by `SHELL`.
Prefer direct command arguments over '-s' when possible, and only use '-s' with commands that have been reviewed and quoted safely.
A background watch process may keep running and re-run commands after additional file changes.
The instructions explicitly allow a long-running background watcher. This is disclosed and purpose-aligned, but it can continue operating until stopped.
Use `process` tool to run it in the background if you need to do other things.
Monitor background watchers and stop them when the build, test, or reload task is complete.
Users may need to install entr separately and should choose a trusted package source.
The skill documents use of the external entr CLI but does not declare a required binary or installation source. This is a setup/provenance clarity gap rather than evidence of unsafe code.
Required binaries (all must exist): none ... No install spec — this is an instruction-only skill.
Install entr only from a trusted OS package manager or upstream source, and consider declaring the required binary in metadata.