Cache
PassAudited by ClawScan on May 1, 2026.
Overview
This appears to be a purpose-aligned local cache tool, with the main user-visible risk being that cached values can persist locally and may include sensitive session or API data.
This skill looks safe for its stated purpose as a local cache manager. Before installing, be aware that it stores raw cache values under ~/.cache-tool, can delete or overwrite cache entries, and depends on local Bash/Python despite incomplete requirement metadata. Do not cache secrets or session tokens unless local plaintext storage is acceptable.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken flush or overwrite operation could delete cached API responses, session-related data, or computed results stored by the skill.
The flush command can clear the cache data file. This is expected for a cache manager and is limited to the cache store, but it is still a destructive local action if invoked accidentally.
if not pattern:
# Flush everything
with open(data_file, "w") as f:
passUse delete, flush, and import intentionally; export a backup first if the cache contains data you may need later.
The skill may rely on whichever local Bash/Python executables are available, and version information may be confusing during review or troubleshooting.
The registry metadata is not fully aligned with the artifacts: SKILL.md/script identify version 1.0.0, and the skill prerequisites/script require Bash and Python even though the metadata declares no required binaries. This is a coherence issue, not evidence of hidden behavior.
Version: 2.0.0 ... Required binaries (all must exist): none ... Required binaries (at least one): none
Verify the source and local Python/Bash installation before use; maintainers should align registry versioning and declare runtime prerequisites.
Sensitive cached values could be exposed to anyone with access to the local cache file or to logs/conversations that include raw get output.
The skill intentionally persists raw cached values locally and later returns them verbatim. If users cache sensitive session/API data, that data can remain on disk and be reintroduced into future agent context.
Use when caching API responses, session data, or computed results ... Cache entries are stored in `~/.cache-tool/data.jsonl` ... `get` returns the raw value to stdout.
Avoid storing secrets, tokens, or highly sensitive session data unless you are comfortable with local plaintext persistence; use short TTLs and flush old entries when no longer needed.