Kannaka Eye
ReviewAudited by ClawScan on May 10, 2026.
Overview
This appears intended as a local glyph viewer, but the package is missing its main server file and its launcher would run a server.js outside the reviewed skill package.
Treat this package as requiring review before use. The local viewer idea is not inherently unsafe, but the reviewed artifacts do not contain the server they tell you to run, and the script points outside the skill directory. Ask the publisher to provide the missing server.js and fix the path before installing or starting it.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing or running the skill may fail, or may rely on code that was not included in the reviewed package.
The documentation describes a 'single-file Node.js server' and commands such as 'node server.js', but server.js is not included in the reviewed file manifest.
4 file(s): README.md; scripts/eye.sh; SKILL.md; _meta.json
Do not run this skill until the package includes the intended server.js or clearly documents and verifies where that server code comes from.
A user who runs the quick-start command could execute code outside the reviewed skill package.
The launcher executes a server.js located three directories above the script, not an included file in the skill directory. That could execute unrelated or unreviewed local JavaScript.
PROJECT_ROOT="$(cd "$SCRIPT_DIR/../../.." && pwd)" SERVER="$PROJECT_ROOT/server.js" node "$SERVER" --port "$PORT" &
Change the launcher to execute an included, reviewed server file under the skill directory, or inspect the resolved server.js path before running.
The local server can keep running after the terminal command finishes.
The start command backgrounds and disowns the Node server. This is disclosed and has a stop command, but it is persistent local behavior.
node "$SERVER" --port "$PORT" & disown
Use the provided stop command when finished, and confirm which process is listening on the configured port.
If Flux is enabled, information derived from rendered inputs may be sent to a remote Flux endpoint.
The skill discloses optional remote publishing to Flux when FLUX_URL is configured. This is purpose-aligned, but derived glyph metadata may leave the local machine.
FLUX_URL ... Flux instance URL for publishing glyph.rendered events ... data_destinations ... flux ... remote: true ... condition: "FLUX_URL is set"
Only set FLUX_URL to a trusted endpoint and avoid processing sensitive files if you do not want derived glyph events published.