Clawditor
PassAudited by ClawScan on May 10, 2026.
Overview
Clawditor is a coherent local workspace-auditing skill with no evident exfiltration or destructive behavior, but it intentionally scans local memory/log files and may run local tests.
This skill appears safe for its intended local audit purpose. Use it in a workspace you are comfortable scanning, review generated eval/ files before sharing them, and approve or sandbox any test execution in untrusted projects.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Generated audit files may contain snippets from local logs, which could expose sensitive details if the eval/ directory is shared.
The log scanner records excerpts from matching log lines. This supports reliability auditing, but log lines can contain sensitive values and should be treated as private.
hits.append({"label": label, "line": i + 1, "text": line.strip()[:200]})Review generated eval outputs before sharing them, and consider adding redaction for tokens, secrets, and personal data in log excerpts.
Audit reports may preserve short excerpts from agent memory files.
The duplicate-memory helper includes excerpts from memory paragraphs in its output. This is expected for diagnosing memory duplication, but memory files may contain private workspace context.
"snippet": a["text"][:160]
Run it only on workspaces you intend to audit, and inspect or redact memory-derived outputs before reusing or publishing reports.
If the agent chooses to run tests in an untrusted or side-effectful project, those tests could modify files, use local resources, or contact services configured by the project.
The instructions permit test execution as part of reliability analysis. This is purpose-aligned, but local tests can execute project code and may have side effects depending on the workspace.
Run tests only if safe and cheap; otherwise static inspection.
Require explicit approval or use a sandbox before running tests in unfamiliar repositories.