v1.1.0

Mechanic

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 4:53 AM.

Analysis

Mechanic is a coherent vehicle-maintenance tracker, but it asks to create a recurring cron job and stores sensitive vehicle/insurance details, so users should review persistence and data handling before installing.

GuidanceBefore installing, decide whether you are comfortable storing vehicle and insurance-related details in the workspace. If you use reminders, require the skill to show and explain any cron job before it is created, and keep removal instructions handy.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Rogue Agents

SeverityMediumConfidenceMediumStatusConcern

SKILL.md

5. Set up the cron job (see **Mileage Check Setup**)

The runtime setup directs creation of a persistent scheduled job. The provided artifacts do not show the exact cron entry, approval step, execution boundary, or removal procedure.

User impactThe skill could create recurring background check-ins that persist beyond the current task and may continue interacting with or modifying maintenance data.

RecommendationRequire explicit user approval before creating any cron job, show the exact cron entry and command/path, document what it can do, and provide clear disable/remove instructions.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning

SeverityLowConfidenceHighStatusNote

SKILL.md

`state.json` | All vehicles: current mileage/hours, history, service records, fuel logs, warranties, providers, emergency info

The skill intentionally stores persistent vehicle history and emergency information, which can include sensitive personal and insurance-related data.

User impactAnyone with access to the workspace data could see VINs, service history, mileage patterns, provider details, warranties, and emergency/insurance information.

RecommendationStore only data needed for maintenance tracking, avoid unnecessary policy numbers or personal details, protect the workspace, and ask before sharing or exporting this data.

Insecure Inter-Agent Communication

SeverityLowConfidenceMediumStatusNote

README.md

NHTSA recall monitoring — Checks for open recalls by VIN (free API)

Recall monitoring is purpose-aligned, but it implies sending or using a vehicle VIN with an external public API.

User impactA vehicle identifier may be used with an outside recall service when checking recalls.

RecommendationTell users before VIN lookups, identify the external service being used, and avoid sending more vehicle or owner data than the recall check requires.