Back to skill
Skillv1.0.3
ClawScan security
Time Analyzer · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 21, 2026, 5:47 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and requirements are consistent with a local CLI time-tracking utility that only reads/writes a folder under the user's home directory and does not request credentials or network access.
- Guidance
- This skill appears to be a straightforward local time-tracking CLI that stores data in ~/.time-analyzer and requires Node.js (>=18). Before installing: (1) review the shipped scripts if you want to be extra cautious (they are plain JS and visible in the package), (2) be aware that activity descriptions and tags are stored in cleartext under your home directory, and (3) only add the optional cron job if you trust the installation path (global npm installs place the binary in a system location like /usr/local/bin). The package duplicates the same code under scripts/ and src/ (harmless but odd). If you need stronger guarantees, run the CLI locally (npx) instead of installing globally and inspect the files first.
Review Dimensions
- Purpose & Capability
- okName/description match the actual behavior: a Node.js CLI that records activities, analyzes them, and stores data in ~/.time-analyzer. There are no unrelated requirements (no cloud credentials or unrelated binaries).
- Instruction Scope
- okSKILL.md and the code only reference local CLI commands, file paths under the user's home directory, and optional cron setup for local reporting. Instructions do not read unrelated system files, request credentials, or send data to external endpoints.
- Install Mechanism
- okNo install spec in the skill bundle; SKILL.md suggests npm / npx (standard for Node CLIs). All included code is plain JS and will run locally. No downloads from untrusted URLs or opaque extract/install steps.
- Credentials
- okThe skill declares no required environment variables, credentials, or config paths beyond writing to ~/.time-analyzer, which is expected for a local time tracker. No secret-named env vars are requested.
- Persistence & Privilege
- okalways:false and default autonomous invocation are preserved. The skill stores only its own config/records under the user's home directory and does not modify other skills or system settings. Cron usage is optional per instructions.