v1.0.0

Systematic Debugging

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 8:17 AM.

Analysis

This is mostly a normal debugging checklist, but it tells the agent to log environment, secrets, and keychain/signing details without clear redaction or approval boundaries.

GuidanceBefore installing or using this skill, be aware that its debugging process may lead the agent to add logs and inspect environment or signing information. It is best used with a rule that secrets must never be printed, diagnostic logs must be temporary, and keychain or signing checks require explicit user approval.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityLowConfidenceHighStatusNote

SKILL.md

BEFORE proposing fixes, add diagnostic instrumentation: For EACH component boundary: - Log what data enters component - Log what data exits component

Adding temporary diagnostic logs is normal for debugging, but the instruction is broad and does not explicitly require minimizing, redacting, or removing instrumentation afterward.

User impactThe agent may propose or add broad logging across components, which can clutter code, expose data in logs, or accidentally remain after the debugging session.

RecommendationReview diagnostic changes before running or committing them, keep logging narrowly scoped, redact sensitive data, and remove temporary instrumentation after root cause analysis.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityMediumConfidenceHighStatusConcern

SKILL.md

echo "=== Secrets available in workflow: ===" ... env | grep IDENTITY ... security list-keychains ... security find-identity -v

The skill's diagnostic example tells the agent to inspect or print secret-related environment data and local signing/keychain state, but it does not require redaction, user approval, or limits on where that output may be logged.

User impactSensitive environment values, signing identities, or keychain details could be exposed in terminal output, CI logs, issue comments, or agent context during debugging.

RecommendationUse this skill only with explicit limits: log presence rather than values, redact secrets, avoid dumping full environment output, and get user approval before inspecting keychains or signing identities.