Pywayne Bin Cmdlogger
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: cmdlogger Version: 0.1.0 The `cmdlogger` skill, as described in `SKILL.md`, is designed to execute arbitrary commands and log all their I/O (stdin, stdout, stderr) to a file. A critical note in `SKILL.md` explicitly warns that 'User input (including passwords) is logged' for interactive commands. Combined with the ability to specify an arbitrary `--log-path`, this creates a significant vulnerability where an AI agent, if subjected to prompt injection, could be coerced into logging sensitive credentials or other data to a potentially insecure location, enabling data exfiltration. While the skill's stated purpose is benign, its inherent capability to capture and store sensitive data makes it highly susceptible to malicious exploitation.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used on a destructive or account-changing command, the logger will still execute that command while recording its I/O.
The skill is designed to execute arbitrary user-supplied commands. This is purpose-aligned for a command logger, but broad command execution can affect files, systems, or accounts depending on the command chosen.
`cmdlogger <command> [args...]` and `command | The command to execute`
Use it only for commands the user has explicitly requested, and review commands that deploy, delete, publish, or modify important data before running them.
The behavior depends on whatever `cmdlogger` executable is present in the user's environment, which may not be the one the user expects.
The documentation relies on a `cmdlogger` executable, while the provided package is instruction-only and does not include an install spec or declared binary requirement.
`cmdlogger --log-path <log_path> <command> [args...]`
Confirm the installed `cmdlogger` binary and its source before using this skill, especially on sensitive commands.
Passwords, tokens, private command output, or debugging data may remain on disk in the log file after the command finishes.
The skill intentionally persists full stdin, stdout, and stderr to a log file, including potentially sensitive interactive input.
`User input (including passwords) is logged. Be careful with sensitive information.`
Avoid using it for password prompts or secret-bearing commands, choose log paths carefully, restrict log file access, and delete or redact logs when no longer needed.