CAN: Clock Address Naming
PassAudited by ClawScan on May 10, 2026.
Overview
CAN is a transparent instruction-only local hashing and logging skill; the main thing to notice is that it can create persistent local records or caches of tool/API outputs.
This skill appears benign and purpose-aligned. Install it if you want a simple local hash/timestamp audit trail, but be deliberate about what MCP/API/tool results you log or store because CAN records can persist under ~/.can and may later be reused as agent context.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Tool or API outputs may remain available in local logs/caches and could be reused later; sensitive or malicious content would remain intact unless the user manages it.
The skill is designed to persist and reuse tool outputs as local agent memory. Hashing verifies that cached content is unchanged, but it does not prove the content is safe, true, non-sensitive, or appropriate to re-inject into later prompts.
Offline Recall: Agents can verify and retrieve past MCP results... Tamper Evidence: Hash verification guarantees that context injected into prompts is exactly what was originally returned by the tool.
Only stamp or cache outputs you are comfortable retaining locally, avoid storing secrets or private data, and treat retrieved cached content as untrusted unless the source and context are still appropriate.
Running the examples will create or modify local CAN files, primarily ~/.can/index.tsv.
The skill documents shell commands that append to a local file. This is expected for a local hashing/logging skill and there is no hidden install or executable code, but it still modifies the user's home directory.
echo -e "$WHEN\t$WHERE\t$WHAT" >> ~/.can/index.tsv
Review the commands before running them and keep CAN logs in a location you are comfortable maintaining or deleting.