Alter Actions
PassAudited by ClawScan on May 1, 2026.
Overview
This is a purpose-aligned documentation-style skill for triggering Alter macOS URL actions, with review notes about a missing referenced CLI helper and text being handed to the Alter app.
This skill appears benign and aligned with its description, but it is more of an instruction/catalog artifact than a complete runnable package. Before installing or using it, confirm you have the Alter macOS app, be cautious with sensitive text passed as action input, and do not run any separately obtained `index.js` helper without reviewing its source.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Text you provide to the skill may be sent into the Alter app action you choose, including actions that rewrite, summarize, extract information, or work with code.
The skill triggers another macOS app through a custom URL scheme and passes user-provided input as a URL parameter. This is central to the skill's purpose, but users should understand that chosen text is handed to Alter actions.
alter://action/{action-id}?input={encoded-text}¶m={value}Use it only with content you intend Alter to process, and review higher-impact action choices before triggering them.
The documented command-line examples may not work from the supplied package, and any missing helper code would need separate review if obtained elsewhere.
SKILL.md documents a Node CLI and functions, but the supplied manifest contains only SKILL.md and no `index.js` or install spec. This is an artifact-coherence gap, not evidence of malicious behavior.
node index.js trigger ask-anything --input "What is AI?"
If you plan to use the CLI form, verify the source and contents of any `index.js` or package files before running them.
Sensitive text included as action input may become available to the Alter app and whatever processing that app performs.
The skill is explicitly an inter-application handoff to Alter. The artifacts do not show secret collection or hidden transmission, but the data boundary is the Alter app rather than staying solely inside the current agent.
Triggers an Alter action via x-callback-url.
Avoid sending passwords, private keys, confidential business data, or other sensitive content unless you trust Alter's handling of that data.