Skillv1.0.0

ClawScan security

agent-error-logger-new · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 11, 2026, 7:44 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, docs, and runtime instructions are coherent with its stated purpose (recording and searching agent error logs); it does not request unrelated credentials or install arbitrary third‑party code, but review suggested GitHub push examples and the workspace log location before enabling.
Guidance: This skill appears to do what it claims: keep local markdown error logs and let you search them. Before enabling: (1) Verify the workspace/memory path used by the scripts is acceptable and does not contain sensitive data you wouldn't want aggregated into logs. (2) Do not paste GitHub Personal Access Tokens into command lines or URLs as shown in docs — prefer gh auth login or a credential helper. (3) If you plan to let the agent automatically consult logs before tasks, confirm you are comfortable with the agent reading the workspace/memory files. (4) Review the repository files locally (especially example logs) to ensure no real secrets are present in example content.

Review Dimensions

Purpose & Capability: okName/description match the provided files and scripts: record_error.py and search_errors.py implement recording and searching error logs stored under workspace/memory. README, USAGE, and SKILL.md all describe the same logging/searching functionality — nothing requests unrelated services or capabilities.
Instruction Scope: okSKILL.md instructs the agent to record, query, and proactively check local error logs in workspace/memory. The runtime instructions and example commands reference only local files and the included Python scripts; they do not command the agent to read unrelated system credentials, network endpoints, or external data beyond optional GitHub publishing guidance.
Install Mechanism: okThere is no install spec — this is instruction/code-only. No remote download or archive extraction occurs. The included create-repo.sh uses the GitHub CLI (gh) if run, which is normal for pushing a repo but is optional and not required for core logging functionality.
Credentials: noteThe skill declares no required environment variables or credentials. Documentation shows optional GitHub push workflows (gh CLI or embedding a PAT in a push URL). That example (embedding a PAT in a git URL) is insecure practice — the scripts do not themselves exfiltrate secrets, but running the push instructions requires GitHub credentials and care.
Persistence & Privilege: okalways is false and the skill is user-invocable. The skill writes/reads files under workspace/memory (its own data area) which is expected for a logger; it does not request system-wide config changes or alter other skills.