Skill

The skill's stated purpose (local security scanner / PII sanitizer) matches what the instructions ask you to do, but there are important inconsistencies and operational risks — notably the instructions rely on npx @latest (a network fetch / mutable package) despite claiming '100% local', and they encourage broadcasting scan results which could propagate false trust.

This SKILL.md describes a useful local security tool, but it does not bundle code — it instructs agents to run 'npx ClawGuard-ai@latest', which will download and execute code from the npm registry at runtime. That contradicts the '100% local' claim and is the primary risk. Before installing or following these instructions: (1) prefer a vendored/pinned release (specific version + checksum) rather than @latest; (2) verify the npm package and its GitHub repo ownership, recent commits, and release artifacts; (3) audit the package source (or ask the publisher for a signed release) and run it in an isolated/sandboxed environment first; (4) avoid automatically broadcasting 'I scanned X — all clear' without a human review to prevent false-trust propagation; (5) clarify how replacement maps (PII/secret mappings) are stored, encrypted, and deleted. If you cannot verify the npm package and provenance, treat the runtime npx fetch as a significant supply-chain risk and do not run it on sensitive hosts.