Skill Provenance
PassAudited by ClawScan on May 10, 2026.
Overview
This skill appears purpose-aligned for tracking skill bundle versions, with optional local shell helpers that users should inspect before running.
This skill looks coherent and safe for its stated purpose. Before installing or using it, be aware that its optional shell scripts can read and update local bundle files, and provenance files may preserve session summaries or hashes. Inspect MANIFEST.yaml and review generated files before publishing or sharing a bundle.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If a manifest were malformed or maliciously edited, local packaging could include unintended files or write to unexpected local paths.
The packaging helper copies files based on paths read from MANIFEST.yaml. This is expected for bundle packaging, but users should inspect manifest paths before running helpers on untrusted or modified bundles.
cp -p "$BUNDLE_DIR/$rel_path" "$dest_dir/$rel_path"
Run the shell helpers only from a trusted bundle directory, inspect MANIFEST.yaml paths for normal relative in-bundle paths, and use a clean output folder.
Running the helper can change MANIFEST.yaml in the selected bundle.
The bundle includes a user-invoked shell script that can recompute hashes and rewrite MANIFEST.yaml. This is disclosed and central to the skill's validation purpose, not hidden execution.
./validate.sh --update [path/to/bundle] Recompute and write hashes
Review changes after using --update and keep a backup or version-control commit before rewriting manifest hashes.
Future agents or teammates may rely on saved summaries, changelogs, and handoff notes, including any mistakes or sensitive details they contain.
The skill may create persistent handoff/context files for future sessions. This is purpose-aligned, but persisted notes can carry stale or sensitive information forward.
handoff.md includes current bundle version, session accomplishments, stale files, and next steps
Review, correct, and redact handoff notes, manifests, and changelogs before reusing them in new sessions or sharing the bundle.