Context Verifier
PassAudited by ClawScan on May 1, 2026.
Overview
This instruction-only skill is coherent for local file-integrity checking, but it can read any file path you provide and can persist packet data, so avoid sensitive files unless you intend that.
This appears safe for its stated purpose of local file integrity checking. Before installing, be aware that it can read any file path you give it and can write persistent context packets; avoid sensitive files, broad glob patterns, and the include-content option unless you deliberately need them.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If you or your agent provide a sensitive path or broad glob, the skill may read files you did not mean to include.
The skill intentionally accepts arbitrary user-provided file paths for hashing and verification. This is purpose-aligned, but broad paths or globs could cause unintended local file reads.
the skill will read ANY file path you provide to `/cv hash`, `/cv verify`, or `/cv packet`
Use precise file paths, avoid broad globs, and do not run it on secrets or credential files unless you intentionally want them checked.
Sensitive content could remain in your workspace if you use include-content on confidential files.
The skill creates persistent context packets, and an optional flag can store actual file contents. This is disclosed and purpose-aligned, but persistent outputs can retain sensitive data.
Results are written to `output/context-packets/` in your workspace ... `--include-content` flag stores file contents to disk.
Leave include-content disabled for sensitive files, review generated packets before sharing them, and delete packets that contain private data.
There is no artifact-backed evidence of unsafe install behavior, but provenance is not fully established in the supplied metadata.
The supplied registry information does not identify a verified source, although the artifact itself contains no executable install mechanism or code files.
Source: unknown ... No install spec — this is an instruction-only skill.
Install only from a trusted registry entry or verified repository, especially if you rely on it for integrity-sensitive workflows.