pc-assistant
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A healthcheck report may reveal sensitive details about the machine, network, users, services, and SSH access patterns if another local user or process can read the report, or if the user later shares it.
The script defaults to saving reports under /tmp and includes SSH authorized_keys/known_hosts content in the report. The artifacts do not show private directory or file permissions being enforced.
OUTPUT_DIR="${1:-/tmp/pc-healthcheck}" ... [ -f "$keyfile" ] && echo "$keyfile:" && cat "$keyfile" | head -5 ... head -10 ~/.ssh/known_hostsUse a private output directory, set restrictive permissions such as 700 on the directory and 600 on report files, and consider redacting SSH, network, and login details before sharing reports.
If the config file is modified by mistake or by another local actor, the scheduled healthcheck could execute unintended commands as the user.
The scheduler loads its config file by sourcing it as shell code. This is a common pattern, but it means any commands placed in that config run when the scheduler runs.
if [[ -f "$CONFIG_FILE" ]]; then ... source "$CONFIG_FILE"
Keep the config file private and writable only by the user, or replace shell sourcing with parsing only the expected PC_ASSISTANT_* key/value settings.
Windows or macOS users may find the advertised functionality broken or unverifiable from this package.
The install manifest declares macOS and Windows scripts, but the supplied file manifest/code presence only includes healthcheck.sh, run.sh, and schedule.sh. Those platform implementations are therefore missing from the reviewed artifacts.
files:\n - scripts/healthcheck.command # macOS\n - scripts/healthcheck.ps1 # Windows
Verify the package source and ensure all referenced platform scripts are present before relying on Windows or macOS support.
If scheduled, the skill may continue generating diagnostic reports until the cron entry is removed, causing sensitive reports to accumulate.
The skill documents a cron job for recurring healthchecks. This persistence is disclosed and user-directed, not hidden, but it can repeatedly create sensitive reports.
# Add to crontab (runs daily at midnight)\n0 0 * * * PC_ASSISTANT_OUTPUT_DIR=... scripts/schedule.sh
Only add the cron job if recurring diagnostics are intended, use a private report directory, enable cleanup deliberately, and periodically review or remove the scheduled job.