Code Audit
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If scanned files contain real secrets, the generated report may also contain those secrets and could leak if shared, synced, or uploaded elsewhere.
The scanner can create a Desktop HTML report and records matched source lines as snippets. Because its rules intentionally detect hardcoded secrets and tokens, a local report may retain credential excerpts if they are found.
--html 生成 HTML 报告到桌面(~/Desktop) ... "snippet": line.strip()[:100]
Treat audit reports and any AI-analysis prompt output as sensitive. Prefer redaction or masking of detected secrets before sharing reports, and rotate any real credentials discovered.
Running system mode is broader than a normal code scan and may inspect local system state using OS tools.
The optional system audit invokes local OS commands to check system command signatures. This is disclosed and read-oriented, but it is still local subprocess execution.
subprocess.run(["codesign", "-v", cmd], capture_output=True, text=True, timeout=10)
Use system mode only when you intentionally want local system checks, and expect macOS-specific behavior.
If enabled, the skill could run recurring audits and generate recurring local output.
Cron is a persistence mechanism. The artifacts describe support for scheduled audits, but do not show automatic setup or hidden background installation.
Weekly automated soul audit via cron is supported.
Enable cron only deliberately, document the scheduled job, and remove it when you no longer need recurring audits.