Skillv1.0.0

ClawScan security

Intent Guardian · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignFeb 26, 2026, 2:53 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code and instructions are coherent with its stated purpose (monitoring local desktop activity and reminding you about interrupted tasks), but it collects potentially sensitive local data (window titles, activity logs, optional screenshots) so you should review configuration and storage before enabling screen capture or remote model integration.
Guidance: This skill is internally consistent with what it says it will do, but it collects local activity data that may be sensitive. Before installing or running it: 1) Keep screen_capture_enabled false unless you understand the risk—screenshots can contain passwords, private messages, or confidential documents. 2) If you enable vision_model, confirm the model endpoint is local/trusted; avoid sending raw screenshots to unknown third-party services. 3) Leave ActivityWatch URL at the default (localhost) unless you intentionally point it to a trusted server. 4) Inspect and, if desired, change INTENT_GUARDIAN_DATA_DIR to a secure location and set filesystem permissions; consider encrypting or regularly cleaning logs. 5) Test in a non-sensitive account or VM first to observe what is captured. 6) If you don't want persistent background sensing, don't add the heartbeat/cron jobs and run sensing scripts manually when needed.

Review Dimensions

Purpose & Capability: okThe name/description (desktop activity sensing, task stack, reminders) match the provided scripts and SKILL.md. All required capabilities (polling active window via osascript, optional ActivityWatch integration, optional screenshots for vision models, local JSON state under memory/skills/intent-guardian) are consistent with the described functionality. There are no unrelated credentials, services, or binaries requested.
Instruction Scope: noteRuntime instructions direct the agent to poll active window/app titles, append event lines to a local activity_log.jsonl, maintain task_stack.json and focus_profile.json, and send reminders. These actions are within scope. Important caveats: the optional screen-capture path produces base64 image output (scripts/sense_screen.sh) which could contain highly sensitive data; the SKILL.md also references an optional 'vision_model' which—if configured to a remote service—would cause image data to be transmitted off-host. ActivityWatch integration uses HTTP to a configurable URL (default localhost). If the user changes that URL to a remote host, activity data could be sent externally. The instructions themselves do not automatically exfiltrate data, but configuration choices can enable external transmission.
Install Mechanism: okNo install spec is provided (instruction + included scripts only). That is low-risk: nothing is downloaded or executed from remote URLs during installation. All code is contained in the package and uses standard system tools (osascript, screencapture, curl, base64, python3).
Credentials: noteThe skill requests no credentials or special environment variables by default. It does use optional environment/config variables (INTENT_GUARDIAN_DATA_DIR, INTENT_GUARDIAN_POLL_INTERVAL, INTENT_GUARDIAN_AW_URL) which are reasonable for configuring storage, poll interval, and ActivityWatch endpoint. The sensitivity concern is data collected (window titles, app names, timestamps, and optionally full screenshots) — these are proportional to the stated purpose but can include private content; there is no explicit justification for sending such data off-device, so caution is warranted if you enable remote vision/model integration or point AW_URL to a non-local endpoint.
Persistence & Privilege: okThe skill is not set to always:true and does not request elevated system privileges. It writes data under memory/skills/intent-guardian (configurable via INTENT_GUARDIAN_DATA_DIR), and suggests optional cron/heartbeat hooks which are user-configured. It does not modify other skills' configuration or force installation into every agent run.