v1.0.0

Custom Commands

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 7:50 AM.

Analysis

The skill is coherent, but it deserves review because it defines broad file backup, sync, and delete commands, including cloud backup by default, without clear safeguards.

GuidanceOnly install this if you are comfortable giving the agent custom commands that may copy, sync, or delete files. Configure explicit backup destinations, require confirmation before deletions or syncs, and periodically review any saved memory archives.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityMediumConfidenceHighStatusConcern

SKILL.md

`backup [path]` - Backs up files/folders to a specified location (default: cloud storage); `sync [source] [destination]` - Synchronizes files between locations; `clean [pattern]` - Deletes temporary files matching a pattern

These instructions define commands that can upload or copy files, synchronize locations, and delete files, but the artifact does not state approval, dry-run, path limits, exclusions, overwrite behavior, or the cloud destination.

User impactA mistaken or overly broad command could copy private files to an unspecified cloud location, overwrite synced data, or delete files that match a broad pattern.

RecommendationBefore installing, require explicit user confirmation for backup, sync, and clean; specify approved destinations and paths; add dry-run previews; and define safe exclusions and rollback expectations.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning

SeverityLowConfidenceHighStatusNote

SKILL.md

Save only high-impact decisions ... Redact IPs, credentials, or internal URLs before storing ... Archive completed tasks to `memory/archived/` with dated filenames

The skill intentionally stores persistent task and decision records. The redaction rule is helpful, but the artifact does not define retention, review, or reuse boundaries for those memories.

User impactProject decisions or task context may persist across future sessions and could influence later agent behavior.

RecommendationReview what is saved to memory, keep redaction enabled, and add a retention or deletion process for archived task records.