Spotlight
PassAudited by ClawScan on May 1, 2026.
Overview
This appears benign: it uses macOS Spotlight to search user-specified folders, but search results can expose local file names/metadata and the metadata under-declares its macOS Spotlight dependency.
Before installing, be aware that the skill searches your local Spotlight index and returns matching paths. Limit searches to folders you are comfortable exposing in the chat, and only let the agent open files after you explicitly choose them.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Search results may expose private filenames, folder locations, and the existence of matching local documents to the agent conversation.
The helper runs a local Spotlight search using user-supplied directory and query values. It is quoted and constrained with -onlyin, but it can still reveal local file paths and metadata from the selected directory.
results=$(mdfind -onlyin "$DIRECTORY" "$QUERY" 2>/dev/null | head -n "$LIMIT")
Use it only on folders you intentionally want searched, and review result paths before asking the agent to open or summarize files.
The skill may fail or require ad hoc troubleshooting on non-macOS systems or systems without Spotlight indexing.
The metadata does not declare the platform or binary requirement, while the skill is macOS-only and the script invokes Spotlight's mdfind. This is an operational metadata gap, not hidden behavior.
OS restriction: none ... Required binaries (all must exist): none ... Required binaries (at least one): none
The publisher should declare macOS and mdfind/Spotlight as requirements; users should install it only where Spotlight is available.