Encoding Toolkit

PassAudited by ClawScan on May 1, 2026.

Overview

This appears to be a straightforward local encoding, decoding, and hashing utility with no evidence of network access, credential use, persistence, or hidden behavior.

This skill looks safe for normal local encoding, decoding, and hashing tasks. Be cautious when using it with secrets or private files, because results may be displayed in output, but the artifacts do not show exfiltration, persistence, or hidden privileged behavior.

Findings (1)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Low

#ASI02: Tool Misuse and Exploitation

What this means

If used on a sensitive file, the tool may print encoded, decoded, or hashed results into the agent conversation or terminal output.

Why it was flagged

The script can read a user-specified local file and then encode, decode, hash, or detect its contents. This is disclosed and expected for the stated purpose, but it means sensitive files should only be processed intentionally.

Skill content

elif getattr(args, "file", None):
            try:
                with open(args.file) as f:
                    data = f.read().rstrip("\n")

Recommendation

Use the --file and --stdin options only with data you intend the agent/tool to process, and avoid decoding or printing secrets unless that is your goal.