Devlog
ReviewAudited by ClawScan on May 1, 2026.
Overview
Devlog appears purpose-aligned, but it reads local AI coding transcripts and can optionally use a publishing token to post the resulting blog online.
Install only if you are comfortable letting the skill inspect local AI coding-session transcripts for the selected project. Before publishing, review the generated Markdown for secrets, private code details, internal paths, or anything you do not want made public.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Private coding-session content may be summarized or quoted in the generated devlog if the selected sessions contain sensitive information.
The skill intentionally loads persistent AI coding-session transcripts as source material for a new blog post. Those transcripts may include private project details, sensitive prompts, paths, or prior model text.
Read the full transcripts of selected sessions. ... Keep: User messages (text) ... Assistant messages (text) ... Tool call names + file paths
Use a narrow project/topic/time range, confirm the session list carefully, and review/redact the generated Markdown before sharing or publishing it.
Running the helper may reveal local project directory names and session metadata to the agent so it can select relevant transcripts.
The Gemini session-discovery helper enumerates common local project directories to map hashed session storage back to project paths. This is purpose-aligned, but it is broader than reading a single specified file.
base_dirs = [ home, os.path.join(home, "dev"), ... os.path.join(home, "Documents"), ... ] ... # Scan base directories up to 3 levels deep
Prefer an explicit project name and time range, and review the presented session index before allowing transcript reading.
If the user provides the token and confirms publishing, the agent can create a public blog post on the connected Hashnode account.
Optional publishing requires a Hashnode personal access token and publication ID, giving the workflow authority to post content to the user's publication.
Check for required environment variables (e.g. `HASHNODE_PAT`, `HASHNODE_PUBLICATION_ID` for Hashnode). ... Ask the user to provide the values for the current session.
Use a token with the minimum needed permissions, provide it only when publishing is desired, review the final post first, and revoke or rotate the token if it was exposed in chat.
The skill may fail or require local Python availability when using helper scripts.
The bundled helper scripts rely on Python even though the registry requirements list no required binaries. The helper code is included and no remote download is shown, so this is a dependency-disclosure note rather than a security concern.
# Output: JSON array to stdout with session metadata for matching projects. # Requires: python3
Ensure Python is available before use and review bundled scripts if running them in a sensitive environment.