Skillv2.0.1

ClawScan security

Codepal · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 18, 2026, 10:38 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: CodePal's requested files, runtime instructions, and behavior are internally consistent with a local devtools logging/analysis utility; it writes user inputs to a local data directory but does not request external credentials, perform network calls, or install remote code.
Guidance: This skill appears to be a straightforward local devtools logger and is coherent with its description. Before installing, note: (1) Everything you pass to codepal (prompts, code snippets, filenames) is stored in ~/ .local/share/codepal and will be exportable — avoid logging secrets or private keys. (2) There are minor bugs/inconsistencies in the script's history/export formatting; they may affect outputs but aren't malicious. (3) The skill does not perform network calls or request credentials, so its primary privacy risk is local disk persistence. If you plan to use it in sensitive projects, review or sandbox the script and consider storing the data directory on encrypted storage or not logging sensitive inputs.

Purpose & Capability: okName/description claim a local code analysis/devtools helper. The included script implements command logging, search, export, stats, and status under ~/.local/share/codepal — functionality aligns with the stated purpose and requires only standard Unix tools.
Instruction Scope: noteSKILL.md and the script confine operations to local files under the user's home data directory and standard Unix utilities. They do persist all user-provided inputs (snippets, prompts, logs) to disk, so sensitive code/credentials pasted into commands will be stored locally. There are minor implementation inconsistencies (e.g., history.log timestamp format vs. other commands expecting '|' separators) that affect correctness but not safety.
Install Mechanism: okNo install spec — instruction-only with one helper script. No downloads, third-party package installs, or external URLs executed at runtime.
Credentials: okNo environment variables, API keys, or external credentials are requested or required. The script uses HOME implicitly to build ~/.local/share/codepal which is expected for a local tool.
Persistence & Privilege: okThe skill does not request always:true and does not modify other skills or system-wide settings. It creates and writes logs under the user's home directory (normal for this tool) and can export those logs to files — persistent data is local and limited to the skill's own data directory.