Agent Metrics
PassAudited by ClawScan on May 1, 2026.
Overview
This appears to be a local metrics utility with no evidence of exfiltration or hidden behavior, though users should note its local persistence, export writes, and documentation/metadata mismatches.
This skill looks safe for local metrics tracking. Before installing, note that it writes a local agent_metrics.json file, can export to a chosen path, and may retain sensitive error details if you record them. Prefer using the included Python file, install psutil from a trusted source, and do not run or fetch the missing PowerShell wrapper unless it is separately reviewed.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Any secrets or private information placed in metric labels or error details could remain on disk and later be shown or exported.
The tool persists metric labels, error details, and possible stack-trace text in a local JSON file, which is expected for observability but may retain sensitive operational information if users record it.
METRICS_FILE = "agent_metrics.json" ... "details": details or "No details", "stack_trace": stack_trace[:2000] if stack_trace else ""
Avoid recording API keys, tokens, private prompts, customer data, or other secrets in labels/details; delete or reset the metrics file when no longer needed.
If invoked with the wrong output path, the tool could replace an existing writable file with exported metrics.
The export command writes to a caller-specified path. This is purpose-aligned, but an unintended path could overwrite a writable file.
exp_parser.add_argument("--output", default="metrics.json", help="Output file") ... with open(output, "w") as f:Use explicit safe output filenames or directories for exports and review paths before running export commands.
Users may be confused about setup or may look for a missing wrapper outside the reviewed artifacts.
SKILL.md declares Python/psutil requirements and references a PowerShell wrapper, while the registry metadata says there is no install spec/requirements and the provided manifest does not include the wrapper. This is a documentation/package consistency issue.
version: 1.0.3 ... "requires": {"bins": ["python"], "pip": ["psutil"]} ... `agent-metrics.ps1` - PowerShell wrapperInstall only the disclosed psutil dependency from a trusted package source and use the provided metrics.py unless a reviewed wrapper is supplied.