Frequently asked questions
The short version: the scan runs on your machine, nothing is uploaded, and the tool never deletes anything for you. The details are below.
Is anything uploaded?
No. The scan runs on your machine and never makes a network request. The web app parses your stack-cleaner.json in the browser and keeps it only in that browser's localStorage. There is no server to upload to.
Can it delete or change anything on my computer?
No. The scan only reads. The cleanup features only generate text (a paste-to-Claude prompt, a shell script, or JSON) that you review and run yourself. The tool never touches your files.
Are my API keys and secrets safe?
Known secret-bearing fields are redacted before the file is written: MCP env values, auth headers, URL credentials and query strings, and token-looking command arguments all become <redacted>. Your home directory is rewritten to ~ so your username never leaks.
One caveat: skill and agent descriptions are prose copied from frontmatter. We run a best-effort scrub over them, but it isn't a guarantee. Don't keep secrets in a SKILL.md description. If you ever spot an unredacted secret, see SECURITY.md: rotate the credential first, then report it privately.
Do I need a GitHub account or to know the terminal?
No. The setup wizard is copy-paste: you copy one line, paste it into your terminal, press Enter, and drop the resulting file into the tool. No GitHub account, no coding.
How does it know what I actually use?
The scan reads your local Claude Code transcripts (the session logs in ~/.claude/projects) and counts how many times each skill, agent, and MCP server was actually invoked, plus when it was last used. That's how the tool can show “installed but never used,” even for MCP servers and agents, which carry no usage count in plain config.
It reads only the tool, skill, agent, and MCP-server names, the counts, and the timestamps: never your prompts, message text, arguments, file paths, or command contents. It all stays on your machine until you choose to upload the file. To skip the transcript read entirely, run the scan with --no-transcripts.
Does this work on Windows?
Yes. The setup page gives you a Windows-specific (PowerShell-safe) command to copy. The scanner is plain Node and runs the same on Windows, macOS, and Linux.
I don't trust “curl | node”. What else can I do?
That's a healthy instinct. You have options, lightest-touch first:
- Run
npx stack-cleaner@latestinstead. No pipe, nocurl: npm fetches the published, versioned package and runs it. It's the same code as/scan.mjs, just delivered through npm. - Open /scan.mjs, read it (one short, dependency-free file), save it, then run
nodeon the saved file. - Clone the repo and run
node public/scan.mjsfrom source.
Either way you run the exact same code, just after you've looked at it.
Where is the file saved?
In the folder your terminal was in when you ran the scan. The scanner prints the exact path with a ✓ when it finishes. Trust that line. For a terminal you just opened, it's usually your home folder.
Is this affiliated with Anthropic?
No. It's a Bespoke Woodcraft Studio tool, not an Anthropic product. “Claude” and “Claude Code” are trademarks of Anthropic.
Is it really free and open source?
Yes: free and open source under the MIT license. The full source is on GitHub: read it, run it, fork it, or self-host your own copy.