Text
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A text file could be changed or overwritten if an agent applies the command directly.
The skill documents local shell commands, including an in-place file edit. This fits text cleanup, but could alter a user file if run without review.
- **Remove BOM if present:** `sed -i '1s/^\xEF\xBB\xBF//'`
Run file-changing commands only on user-approved files, preferably on a copy or with a backup.
Secrets in a local .env file could be displayed if the command is used on a real project configuration file.
.env files commonly contain API keys or secrets. The example is a config-text parsing command and does not show exfiltration, but it could reveal sensitive values to the agent context or output.
# .env files grep -v '^#' .env | grep '='
Ask before reading .env or other credential-bearing files, and redact secret values unless the user explicitly needs them.