EvidenceOps - Forensic Evidence Management
PendingStatic analysis audit pending.
Overview
No static analysis result has been recorded yet. Pattern checks will appear here once the artifact has been analyzed.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may read evidence files, write staged/vault files, run local extraction commands, and create exports containing sensitive case material.
The skill gives the agent local read/write/command capability and evidence export/access-log tools. This is aligned with staging, hashing, metadata extraction, and vault export, but it is high-impact if used outside the intended case workflow.
tools: ... evidence.ingest ... evidence.export ... evidence.access_log ... Read ... Write ... Bash
Install only if you want the agent to manage evidence files, keep vault paths tightly scoped, and require review before exports or any destructive retention actions.
Users may need to install or build the evidence-vault plugin separately, so package provenance and dependency integrity matter.
Registry-level provenance and installation metadata are sparse even though the skill documentation references an npm plugin installation. This is disclosed but worth checking before use.
Source: unknown; Homepage: none; Install specifications: No install spec — this is an instruction-only skill.
Verify the npm package source, pin or lock dependencies where possible, and install the plugin only from a trusted registry or reviewed source.
If S3 mode is enabled with overly broad IAM permissions, the plugin could read or write more cloud storage than intended.
Optional S3 storage may use cloud account credentials or IAM roles. This is expected for an S3-backed evidence vault, but those credentials should be narrowly scoped.
driver: s3 ... bucket: evidence-vault-prod ... Use IAM roles, not static credentials ... accessKeyId: (from environment or IAM) ... secretAccessKey: (from environment or IAM)
Use a dedicated bucket, least-privilege IAM role, encryption, Object Lock if required, and no public bucket access.
Evidence files, GPS metadata, sender/source details, manifests, and audit logs may remain available for the configured retention period.
The skill intentionally persists sensitive evidence metadata and operational records for later verification and audit. This is central to the purpose, but it creates long-lived sensitive context.
EXIF data (may include GPS coordinates) ... Audit logs ... Chain of custody records ... Case manifests ... Access records
Protect the vault directory or bucket, review redaction behavior, set appropriate retention policies, and avoid ingesting evidence that is not needed.