Pywayne Bin Gettool
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user or agent could fetch, build, or install code whose provenance is not clear from the reviewed artifacts.
The skill builds and installs code from an external repository and allows the repository URL to be changed, but the artifacts do not provide a concrete reviewed source, homepage, default repository URL, or implementation for gettool.
Fetch and install C++ tools/libraries from cpp_tools repository ... gettool --set-url <URL>
Verify the gettool binary and cpp_tools repository URL before use, prefer pinned versions, and document the trusted source in the skill metadata or install instructions.
Running build or install steps for third-party C++ projects can execute arbitrary build scripts and change local files or system configuration.
The instructions can cause fetched code and installer scripts to execute locally; this is purpose-aligned for a build/install tool but is high-impact and not bounded by review or confirmation guidance.
Build the tool using CMake and make ... After fetching, execute the tool's installation script (if configured) ... Use sudo make install
Require explicit user approval before using build or install flags, inspect installer scripts, and avoid running fetched code with elevated privileges unless necessary.
A sudo install can modify protected system paths and persist changes beyond the current project.
This explicitly introduces elevated local privileges for system-wide installation, but the artifact does not document approval, scope, or rollback controls.
`--global-install-flag` | Set to `true` for sudo make install
Use project-local target directories by default, ask the user before any sudo/global install, and provide clear rollback or uninstall instructions.