Favorites Curator
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The generated favorites files may reveal what repositories, apps, skills, extensions, and hooks are installed on the machine.
The skill persistently stores a catalog and cache derived from broad local software, skill, extension, and hook locations.
Entries: `favorites/entries/` ... Snapshots: `favorites/snapshots/` ... Cache: `favorites/enrichment-cache.json`; Covered Sources: `~/ai` git repositories ... `~/.openclaw/hooks`
Use it only in workspaces where a persistent local inventory is acceptable, and review or delete the favorites/ directory if it contains sensitive inventory details.
Running the skill can inspect the local software environment and create/update catalog files, though no destructive command behavior is shown.
The expected workflow runs bundled Python scripts and local inventory commands; this is central to the purpose but should be understood before use.
Run `scripts/scan_favorites.py` to refresh entries and the latest snapshot ... `brew info --json=v2 --installed` is used once per scan
Run the scripts only when you intend to refresh the local catalog, and inspect the generated reports if you are concerned about what was collected.
External services may learn that the machine queried metadata for particular repositories or homepages.
The scanner includes enrichment logic that can contact GitHub and non-GitHub source URLs to improve metadata.
data = fetch_json(f'https://api.github.com/repos/{repo_key}') ... html = fetch_text(normalized)Avoid running online enrichment in highly sensitive workspaces unless you are comfortable with those source URLs being contacted; a future version should offer an explicit offline/disable-enrichment option.
Users have less provenance information for deciding whether to trust the bundled scripts.
The code-bearing skill does not provide a public source or homepage reference in the supplied metadata.
Source: unknown; Homepage: none
Install only if you trust the publisher or have reviewed the included scripts; adding a source repository/homepage would improve transparency.