Clawshell 0.1.0
ReviewAudited by ClawScan on May 10, 2026.
Overview
This skill claims to provide a security-gated shell, but the supplied package does not include the implementation needed to support those claims.
Review carefully before installing. The idea of a human-approved shell wrapper is reasonable, but this package does not include the code that would enforce it. Ask the publisher for the full implementation and verify the dependency list before adding it to TOOLS.md or relying on it for security.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the install step would not install a reviewable ClawShell implementation from these artifacts, so users cannot verify the security behavior being advertised.
The only declared npm dependency is an unrelated package, while the skill describes a Node-based shell approval system and the artifact set contains no implementation files. This creates a provenance and functionality gap for the setup step.
"dependencies": { "package-lock.json": "^1.0.0" }Do not rely on this skill until the actual source code, tool definitions, and dependency list are included and reviewed.
A user may trust the skill as a security control even though the reviewable package does not demonstrate that it can enforce the promised protections.
The skill makes strong safety claims about command interception and approval, but the supplied artifacts do not provide the code needed to substantiate those claims.
Secure replacement for `bash`. Analyzes command risk and executes only if safe or approved.
Treat the security claims as unverified until the implementation is available, tested, and matches the documented behavior.
Future agent shell activity could be routed through an unverified or nonfunctional tool, potentially disrupting work or creating a false sense of protection.
The instruction would make this skill the default pathway for all shell commands, which is high-impact authority. Because the implementation is absent, the actual limits, approval behavior, and failure modes are unclear.
Use `clawshell_bash` for ALL shell command execution. Do not use `bash` directly.
Only configure all shell access through this tool after verifying that the actual implementation exists, blocks dangerous commands, and requires approval as documented.
Misconfigured or exposed notification tokens could allow unwanted access to the notification integration.
The skill requires notification-service credentials for approval prompts. This is purpose-aligned, but users should recognize that these are account tokens.
CLAWSHELL_PUSHOVER_USER=your-user-key CLAWSHELL_PUSHOVER_TOKEN=your-app-token
Use dedicated app tokens with the minimum needed access and avoid committing them to shared files.
Sensitive command details could remain in local logs and later be visible to the agent or anyone with file access.
The skill keeps persistent audit logs and exposes recent log entries through clawshell_logs. Shell commands can contain sensitive paths, tokens, or operational details.
All decisions are logged to `logs/clawshell.jsonl`
Review log contents, restrict access to the log directory, and avoid putting secrets directly in shell commands.