Skillv0.1.8

ClawScan security

Precc Token Saver · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 10, 2026, 11:19 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's behavior (intercepting and rewriting every shell command) matches its description, but its install instructions include a high-risk 'curl | bash' installer and a third‑party Homebrew tap, and the runtime instructions ask the agent to ingest session history and always pipe commands through a local hook — all of which raise privacy and supply-chain concerns that are not fully justified or documented.
Guidance: Before installing or enabling this skill: (1) Do not run the 'curl | bash' installer without inspecting the script — prefer installing from a vetted Homebrew formula or official release. (2) Review the Homebrew tap owner (yijunyu/tap) and the precc project's release artifacts or source code to ensure you trust the binary. (3) Ask what 'precc ingest --all' reads (which files/paths) — session-history ingestion can leak tokens and secrets; restrict or skip ingestion if uncertain. (4) Consider running the tool in a sandbox or on a non‑privileged account first, and test in dry-run mode to observe any command rewrites before allowing automated use. (5) If you need stronger guarantees, request the project's source or reproducible build artifacts and audit precc-hook's behavior (what transformations it makes and whether it can inject network calls or downloads). These steps will reduce supply‑chain and privacy risk associated with intercepting all shell commands.

Review Dimensions

Purpose & Capability: okThe declared binaries (precc-hook, precc) and the runtime instructions directly align with the stated purpose (intercept/repair/compress CLI commands and report savings). Requiring a hook binary is expected for this capability.
Instruction Scope: concernThe SKILL.md instructs the agent to route every shell command through precc-hook and to run 'precc init' and optionally 'precc ingest --all' to mine session history. 'Ingest --all' implies reading local session history and possibly other logs/files (not explicitly enumerated). Because the agent enforces the hook at the prompt-level, there's also a risk that rewritten commands (from precc-hook output) could change behavior unexpectedly; the doc trusts a local binary to be safe but gives the agent broad discretion to always apply rewrites.
Install Mechanism: concernRegistry install metadata lists a Homebrew formula (tap: yijunyu/tap), which is reasonable but is a third‑party tap. The SKILL.md also instructs users to run 'curl -fsSL https://raw.githubusercontent.com/.../install.sh | bash' — piping a remote script to bash is a high-risk supply-chain pattern because it executes remote code without review. This is disproportionate for a tool that could be installed from a packaged release or audited formula.
Credentials: noteThe skill declares no required environment variables or credentials, which is proportionate. However, the 'ingest --all' operation may access local shell/session history or other files not declared in the skill manifest; that file access is not documented in the registry metadata and could reveal secrets or tokens stored in shell history.
Persistence & Privilege: noteThe skill does not request always:true and does not require elevated platform privileges. It will create local state ('precc init', databases) and is expected to persist analytics; this is plausible for the stated purpose but means the tool will write files to disk and retain usage data locally.