pet
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the wrong saved snippet could modify files, run tools, or affect accounts the user is logged into.
The skill exposes a path to execute saved command snippets. This is expected for a command snippet manager, but the executed command can have arbitrary local or account side effects depending on the snippet.
### Execute a snippet directly ```bash pet exec ```
Review the snippet selected by `pet exec` before allowing it to run, especially for snippets copied from others or stored long ago.
If the installed `pet` command is untrusted or different from the expected tool, the skill could behave differently than described.
The skill does not ship code and depends on a preexisting local `pet` binary. This is reasonable for an instruction-only wrapper, but the local binary's provenance determines what actually runs.
Required binaries (all must exist): pet; No install spec — this is an instruction-only skill.
Install `pet` from a trusted source and verify the command on your system before using this skill.
Old, incorrect, or malicious snippets could be reused later if they remain in the snippet file.
Saved snippets persist across sessions and may be reused later. This is central to the skill, but stale or untrusted snippets could influence future command execution.
Snippets are stored in `~/.config/pet/snippet.toml`.
Periodically review `~/.config/pet/snippet.toml`, remove snippets you do not trust, and avoid storing secrets directly in command snippets.
Command snippets may be uploaded to GitHub Gist and could expose sensitive command text depending on the Gist configuration.
The skill discloses optional sync of local snippets to GitHub Gist. This is purpose-aligned, but it moves snippet content outside the local machine.
If configured in `~/.config/pet/config.toml`, you can sync snippets to a GitHub Gist: ```bash pet sync ```
Use `pet sync` only after checking the Gist visibility and confirming snippets do not contain secrets, tokens, private URLs, or sensitive system details.