ClawHub
Back to skill
v1.0.0

Andon

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 7:51 AM.

Analysis

This appears to be a straightforward local Andon status-board tool that stores entries on disk, with no evidence of hidden network, credential, or destructive behavior.

GuidanceReasonable to install if you want a local Andon board. Review the bundled script if your agent may run commands automatically, keep entries non-sensitive, and confirm remove/export/config operations before use.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Unexpected Code Execution
SeverityLowConfidenceHighStatusNote
SKILL.md
scripts/script.sh status

The skill instructs use of a bundled Bash script for its commands. This is local code execution, but it is the disclosed and central mechanism for the CLI-style tool.

User impactUsing the skill may cause the agent to run the included local shell script when handling Andon tasks.
RecommendationReview the script before relying on automatic agent invocation, and use only the commands needed for the task.
Tool Misuse and Exploitation
SeverityLowConfidenceHighStatusNote
scripts/script.sh
sed -i "${num}d" "$DATA_DIR/data.jsonl" ... cp "$DATA_DIR/data.jsonl" "$out"

The remove command edits the local Andon data file, and the export command writes an output file. These actions fit the stated purpose but can change local data.

User impactA mistaken remove command could delete an Andon entry, and export may overwrite the default local export file.
RecommendationConfirm remove and export actions before running them, especially if the Andon data is important.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning
SeverityLowConfidenceHighStatusNote
scripts/script.sh
DATA_DIR="${ANDON_DIR:-$HOME/.andon}" ... >> "$DATA_DIR/data.jsonl"

Entries are appended to a persistent local data file under the configured Andon directory, so content can be reused, listed, searched, or exported later.

User impactInformation entered into the Andon board remains on disk and may appear in later lists, searches, or exports.
RecommendationAvoid storing secrets in Andon entries, and set ANDON_DIR to a project-specific location if you want to isolate the data.