Workspace Hygiene Publish
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This appears to be a disclosed workspace-audit tool that reads workspace memory and project files, writes reports, and can optionally merge memory files when explicitly run with fixes enabled.
This skill looks proportionate for workspace cleanup, but install it only if you are comfortable with it reading the selected workspace's memory and project files, writing hygiene reports, and optionally modifying memory files when --fix is used.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If fixes are enabled, the skill may modify memory files in the selected workspace.
The skill discloses an optional auto-fix path that can change workspace memory organization; this is purpose-aligned but should be user-directed and reviewed.
| Timestamp-format memory files | Auto-consolidate into date file |
Run the audit without --fix first, review the report, and keep backups before allowing automated memory consolidation.
Private workspace memory and project context may be read and summarized into a persistent hygiene report inside the workspace.
The skill intentionally reads persistent workspace memory and checks formatting that affects future retrieval and agent context.
Scans `memory/` for: ... Daily logs older than 30 days ... MEMORY.md line count ... validates that recent memory entries
Use it only on workspaces you trust, review generated reports for sensitive content, and avoid treating unreviewed memory or README content as authoritative.
The workspace audit may run repeatedly and create new reports on a schedule if added to HEARTBEAT.md.
The skill suggests a recurring weekly workflow, which is disclosed and purpose-aligned but creates ongoing agent activity if the user adds it.
Runs on demand or weekly. ... Add to `HEARTBEAT.md`: ... Weekly Hygiene (Monday) - Run `python3 skills/workspace-hygiene/scripts/hygiene.py --workspace <path>`
Only add the weekly heartbeat entry if recurring audits are desired, and keep the scheduled command report-only unless automatic fixes are intentionally enabled.
Users have less external context for who maintains the skill or where to verify updates.
The supplied package includes source files and no external package install step, but the registry metadata does not provide an upstream source or homepage for provenance.
Source: unknown; Homepage: none
Review the included files before installation and prefer installing trusted, versioned copies.