Clawshell

The skill's stated purpose is to intercept and mediate shell commands (provide clawshell_bash). However, there are no code files and no install spec that would place a clawshell_bash implementation on disk or in PATH. The registry requires only 'node' and Pushover env vars, but nothing in the package actually implements the interception behavior; instructing the agent (and the user) to replace bash with clawshell_bash is not feasible without additional code. This is an incoherence between claimed capability and the actual artifact.

SKILL.md tells the agent to use clawshell_bash for ALL shell execution and to log to logs/clawshell.jsonl, and it instructs the user to run `npm install` in a skill directory. Those runtime instructions assume an implementation exists and that npm will install dependencies from a package manifest in that directory — but none is provided. The doc also references alternative Telegram env vars (CLAWSHELL_TELEGRAM_BOT_TOKEN, CLAWSHELL_TELEGRAM_CHAT_ID) that are not declared in the registry metadata. The instructions therefore overreach relative to the actual bundle and give the agent broad directives that cannot be validated from the skill itself.

There is no formal install spec (instruction-only), which is low risk from a supply-chain perspective. However, SKILL.md tells the operator to run `npm install` in /app/workspace/skills/clawshell; because no package files are shipped, this instruction is ambiguous. If a user follows it in a directory that contains a package.json (or if the skill later adds one), that could pull arbitrary npm packages. The absence of a concrete install spec is inconsistent and should be clarified before running installs.

The declared required env vars (CLAWSHELL_PUSHOVER_USER and CLAWSHELL_PUSHOVER_TOKEN) align with the described use of Pushover for approvals. That is proportionate. However, the documentation also mentions Telegram-related variables that are not listed in the registry metadata; the skill suggests storing tokens in a .env file. Requiring user/app tokens is expected for notification delivery, but you should confirm the exact variables the installed code will read and avoid placing high-privilege credentials in a skill-specific .env without review.

The skill does not request always:true and does not declare config paths or other elevated system access. It asks the user to add an entry to TOOLS.md so the agent uses clawshell_bash, which changes agent behavior but is an expected integration step for a tool that mediates shell execution. This is not an unexplained persistence or privilege escalation by itself.