Hashcheck
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This is a coherent local checksum tool with no evidence of networking, persistence, credential use, or destructive behavior.
This skill appears safe for normal checksum use. Before installing or invoking it, remember that it reads the files you name and prints filenames, sizes, hashes, and for text inputs a short preview of the text.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill can read whichever local files the user asks it to hash and can print their filenames, sizes, and hash values.
The helper reads the file path supplied to the hash, verify, compare, or all commands in order to compute a digest. This is expected for a checksum tool and the code does not show network transmission or file modification.
with open(path, "rb") as f:
Use it only on files you intend the agent/session to access, especially if filenames or hashes are sensitive.
If a user hashes a password, token, or other secret as text, part of that secret may appear in the output.
The text-hashing command echoes up to the first 50 characters of the provided string along with the digest. This is not hidden exfiltration, but it can reveal sensitive text in the terminal or conversation log.
print(f"{digest} \"{args.text[:50]}{'...' if len(args.text)>50 else ''}\"")Avoid using the text command for secrets unless you are comfortable with the input preview being shown, or modify the tool to suppress echoing input text.