Portable Tools
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill is mostly a coherent portability checklist, but it tells agents to use and show exact OAuth token values, which could expose account credentials in chat or logs.
Review this skill before installing if you use it around OAuth, keychain, or token-handling work. Its portability checklist is useful, but you should tell the agent never to print full secrets; use redacted values, hashes, or timestamps instead, and only run the bash checklist on code directories you intentionally choose.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent following this guidance could reveal OAuth tokens or other credentials while trying to prove a tool worked, potentially exposing the user's account access.
The skill explicitly encourages showing exact real credential values, using OAuth access tokens as the example. Access tokens can grant account access and should not be displayed in chat, logs, or reports.
"Require: - Concrete BEFORE state (exact values)" ... "- Access Token: POp5z1fi...eSN9VAAA" ... "**Action:** Always show data transformation with real values"
Replace real token output with redacted values, hashes, expiration timestamps, or prefix/suffix-only comparisons, and require explicit user approval before inspecting any credential store.
An agent could probe local credential entries or read token-containing configuration while generalizing a tool, even when the user only asked for portability advice.
The examples teach reading password/keychain entries and automatically trying fallback account names. That is sensitive local credential-store access and the artifacts do not clearly scope which service/account may be queried or what output is safe.
security find-generic-password -s "Service" -a "account" -w ... for fallback in "claude" "default" "oauth"
Limit credential examples to mock data by default, document explicit consent requirements, and scope any credential lookup to a named service/account with redacted output.
If run on a broad or sensitive directory, the checklist may display snippets such as hardcoded local paths from source files.
The included helper is a user-directed local bash script that scans a target directory for portability issues. This is purpose-aligned, but it will inspect files under the chosen path and print some findings to the terminal.
bash ~/clawd/skills/portable-tools/pre-publish-checklist.sh /path/to/your/code
Run the checklist only on the specific code directory you intend to review, and inspect the script/output before sharing results.