Bash Themes
ReviewAudited by ClawScan on May 10, 2026.
Overview
The files do not show credential theft or destructive actions, but the skill advertises a Bash theme manager while its included script is an unrelated developer-workflow stub that logs command use locally.
Review this before installing because the artifact set is not coherent: it claims to manage Bash themes/Oh My Bash, but the included implementation is mostly a placeholder and an unrelated developer-workflow script. If you test it, avoid sensitive command arguments and verify exactly what command wrapper will run.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user or agent could install and invoke this expecting Bash theme/configuration management, but the included runnable behavior appears to be a different placeholder tool.
This advertised purpose conflicts with the included code: scripts/oh_my_bash.sh has `run) echo "TODO: Implement main functionality"`, and scripts/script.sh labels itself a `Developer workflow automation tool` with init/check/build/deploy commands.
description: "A delightful community-driven framework for managing your bash configuration, and an auto-update..." ... "Core functionality from ohmybash/bash-themes"
Do not rely on the description until the author aligns the documentation, command names, and actual implementation, or clearly explains that this is only a placeholder.
Users may not know which script is actually invoked or how the advertised command is installed.
SKILL.md still instructs users to run `bash-themes <command> [args]`, and the package includes scripts, so the exact installation/wrapper path is under-documented. This is a clarity/provenance note, not evidence of hidden execution.
No install spec — this is an instruction-only skill.
Ask the publisher to document the install/wrapper mechanism and make clear which script backs the `bash-themes` command.
If a user passes sensitive text as a command argument, it may be stored locally in the skill's history file.
The script persists command names and the first argument to a local history log. There is no evidence of exfiltration or reuse as agent memory, but user-supplied arguments can be retained on disk.
DATA_DIR="${BASH_THEMES_DIR:-${XDG_DATA_HOME:-$HOME/.local/share}/bash-themes}" ... _log() { echo "$(date '+%m-%d %H:%M') $1: $2" >> "$DATA_DIR/history.log"; }Avoid passing secrets or sensitive text as arguments, and set `BASH_THEMES_DIR` or clear the history file if local retention is not desired.