Agent Metrics
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Any secrets or private information placed in metric labels or error details could remain on disk and later be shown or exported.
The tool persists metric labels, error details, and possible stack-trace text in a local JSON file, which is expected for observability but may retain sensitive operational information if users record it.
METRICS_FILE = "agent_metrics.json" ... "details": details or "No details", "stack_trace": stack_trace[:2000] if stack_trace else ""
Avoid recording API keys, tokens, private prompts, customer data, or other secrets in labels/details; delete or reset the metrics file when no longer needed.
If invoked with the wrong output path, the tool could replace an existing writable file with exported metrics.
The export command writes to a caller-specified path. This is purpose-aligned, but an unintended path could overwrite a writable file.
exp_parser.add_argument("--output", default="metrics.json", help="Output file") ... with open(output, "w") as f:Use explicit safe output filenames or directories for exports and review paths before running export commands.
Users may be confused about setup or may look for a missing wrapper outside the reviewed artifacts.
SKILL.md declares Python/psutil requirements and references a PowerShell wrapper, while the registry metadata says there is no install spec/requirements and the provided manifest does not include the wrapper. This is a documentation/package consistency issue.
version: 1.0.3 ... "requires": {"bins": ["python"], "pip": ["psutil"]} ... `agent-metrics.ps1` - PowerShell wrapperInstall only the disclosed psutil dependency from a trusted package source and use the provided metrics.py unless a reviewed wrapper is supplied.