Skillv0.2.2

ClawScan security

ClawKeeper — Tasks & habits in a plain markdown file · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignFeb 16, 2026, 7:15 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill is internally consistent: it is a CLI-backed task/habit manager that expects a local directory (CLAWKEEPER_DIR) and the clawkeeper binary, which matches its description.
Guidance: This appears to be a straightforward CLI-driven task manager. Before installing: (1) verify the npm package source and maintainers (npm packages can run code during install); (2) ensure CLAWKEEPER_DIR is set to a directory you control (not /, /etc, your home dir root, or any sensitive path) and give it appropriate permissions; (3) consider running the npm install in a sandbox or review the package code if you need higher assurance; (4) be aware that if multiple agents share the same CLAWKEEPER_DIR, they will read/write the same data which may affect privacy.

Review Dimensions

Purpose & Capability: okName/description (local markdown task/habit manager) align with the declared requirements: it needs a 'clawkeeper' CLI and a directory (CLAWKEEPER_DIR) where markdown data is stored. Asking for CLAWKEEPER_DIR as the primaryEnv is slightly unusual (it's a path, not a secret) but not incoherent.
Instruction Scope: noteSKILL.md only instructs the agent to run the clawkeeper CLI against the directory in CLAWKEEPER_DIR and to perform periodic 'heartbeat' checks on tasks/habits. This stays within the skill's stated purpose. Note: because the CLI reads and writes whatever is under CLAWKEEPER_DIR, an attacker or misconfiguration that sets CLAWKEEPER_DIR to a sensitive location could expose or overwrite unrelated files. The instructions do not reference other env vars, system paths, or external endpoints.
Install Mechanism: noteInstall is via the npm package 'clawkeeper' which creates the 'clawkeeper' binary. Using npm for a CLI is reasonable; npm packages carry the usual supply-chain risk (packages can execute arbitrary code during install). There is no direct download from an unknown URL in the spec.
Credentials: noteOnly CLAWKEEPER_DIR is required, which is proportionate to a local file-backed CLI. However, treating a path as the primary credential is odd; confirm you trust the directory value. If CLAWKEEPER_DIR points to a shared or sensitive folder, the skill (and the CLI it runs) could read/modify unrelated files.
Persistence & Privilege: okalways is false and the skill does not request system-wide changes or persistent/always-on inclusion. Model invocation is allowed (the platform default), which is expected for a usable skill. The skill does not claim to modify other skills or global agent settings.