Exec Reducer
ReviewAudited by ClawScan on May 10, 2026.
Overview
This simple file helper shows no hidden network behavior, but it gives the agent an unbounded way to read and overwrite local files and its documented command name does not match the included script.
Install only if you are comfortable with a skill that can read and overwrite local files when invoked. Use it in a limited workspace, verify file paths carefully, and correct the documented script-name mismatch before relying on it.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent invokes this tool incorrectly, it could overwrite important local files or inspect files outside the intended project area.
The script overwrites whatever file path is supplied on the command line, with no workspace restriction, confirmation step, backup, or protection against unintended paths.
elif cmd == "write" and len(sys.argv) > 3:
with open(sys.argv[2], 'w', encoding='utf-8') as f:
f.write(sys.argv[3])Restrict operations to an approved workspace, require explicit user approval before writes, avoid overwriting by default, and add backups or dry-run behavior for mutations.
The skill may not run as documented, and in some contexts an agent might run an unintended file with the documented name.
The documented command refers to exec-batch-skill.py, but the provided manifest/source file is exec-reducer.py. This mismatch could cause failed execution or accidental execution of a different same-named local file.
python exec-batch-skill.py read <filepath>
Update SKILL.md to reference the actual packaged script name, or include the documented script file in the package.