Changelog
PassAudited by ClawScan on May 10, 2026.
Overview
The provided artifacts show a local changelog-style CLI helper that stores user-entered data on disk, with no evidence of credential use, network access, or destructive behavior.
This appears safe for ordinary local use, but verify the actual `changelog` executable before running it and avoid passing secrets because entries are stored persistently in `~/.local/share/changelog/`.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill may not perform the richer changelog-generation behavior its description suggests.
This sets expectations for a full changelog generator, but the provided script excerpt mainly shows generic local logging commands. Users should verify the actual functionality before relying on its output.
Changelog generator — commit parsing, version grouping, markdown output, conventional commits, breaking change detection, and templates.
Confirm the CLI behavior with `changelog help` and test it on non-sensitive data before using it in release workflows.
If the reviewed script is not what gets installed or executed, the user or agent could run a different `changelog` command from the local PATH.
SKILL.md documents a `changelog` command, but no installer or required binary is declared. This is a provenance and usability ambiguity rather than evidence of unsafe installation.
No install spec — this is an instruction-only skill.
Verify which executable is being run, and prefer an explicit install or link to the reviewed script.
Text passed to the tool may be retained locally and later exported or viewed.
The script creates a persistent local data directory and appends activity to history logs. This is disclosed and purpose-aligned, but users should know inputs remain on disk.
DATA_DIR="${HOME}/.local/share/changelog"
mkdir -p "$DATA_DIR"
_log() { echo "$(date '+%m-%d %H:%M') $1: $2" >> "$DATA_DIR/history.log"; }Avoid entering secrets or private release details unless local persistence is acceptable, and clear `~/.local/share/changelog/` when needed.