Claw Trace
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This instruction-only skill is coherent and off by default, but users should understand that enabling it will make the agent display tool-call traces that could contain sensitive details if redaction fails.
This skill appears safe to install as an instruction-only tracing aid. Before enabling it, remember that it can display tool inputs and outputs in replies, and optional detailed logs or saved reports may contain private information. Keep full logging and file export off unless you need them, and review trace output for secrets.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If enabled, replies may become more verbose and include operational details about tool use without the user asking each time.
This changes the agent's normal response behavior by requiring trace output after tool calls once the user enables it. The behavior is clearly disclosed and aligned with the tracing purpose.
When enable = true → MUST automatically show trace output after every tool call, do NOT wait for user to ask
Enable tracing only when you want continuous tool-call visibility, and disable it after use if you prefer normal responses.
Trace logs may reveal sensitive information from tool calls if the redaction guidance is not followed perfectly.
Detailed logging of tool inputs and outputs can expose task context, file excerpts, or other private data if redaction is incomplete, though the skill explicitly instructs redaction and keeps detailed logging disabled by default.
Record complete input/output for each call (except sensitive info).
Keep detailed logging and save-to-file disabled unless needed, review trace output for secrets, and avoid enabling full tracing in sensitive projects.
If file export is enabled, trace reports could remain in the workspace and be seen later by others with access to that workspace.
The skill can optionally persist trace reports to disk, which is consistent with the stated reporting purpose and disabled by default, but saved traces may retain sensitive task details.
Generate Markdown report saved to workspace.
Use save-to-file only when needed, store reports in appropriate locations, and delete reports that contain private or sensitive information.