Huckleberry
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: openclaw-huckleberry-skill Version: 0.1.0 This skill is classified as suspicious due to its reliance on a reverse-engineered API client (`py-huckleberry-api` from GitHub) and its direct interaction with Google Cloud Firestore. While the current implementation uses Firestore for benign purposes (extending note functionality and precise sleep logging), this direct, low-level access to the backend data store (as seen in `scripts/hb.py` via `api._get_firestore_client()` and `add_notes_to_latest_interval()`) represents a powerful capability that, if misused, could lead to unauthorized data manipulation or exfiltration. The installation from a GitHub URL also introduces a supply chain risk. There is no clear evidence of intentional malicious behavior, but these risky capabilities warrant a 'suspicious' classification.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing and using the skill gives it account-level access needed to read and update Huckleberry baby-tracking data.
The skill uses the user's Huckleberry email/password from environment variables or a local credentials file to authenticate to the account.
email = os.environ.get("HUCKLEBERRY_EMAIL")
password = os.environ.get("HUCKLEBERRY_PASSWORD")
...
config_path = Path.home() / ".config" / "huckleberry" / "credentials.json"
...
api.authenticate()Only install if you are comfortable providing Huckleberry credentials. Prefer environment variables or a well-protected credentials file, and remove credentials if you stop using the skill.
A mistaken command could create or alter baby activity records, such as sleep sessions or notes, in the connected Huckleberry account.
The CLI can directly add records to Huckleberry's Firebase/Firestore backend, which is expected for logging but is still mutation authority over child activity data.
# Write directly to Firestore
client = api._get_firestore_client()
intervals_ref = client.collection("sleep").document(child_uid).collection("intervals")
...
intervals_ref.add(doc_data)Use the skill for explicit logging requests, verify the selected child in multi-child accounts, and review records in Huckleberry after important updates.
Future changes to the remote dependency could affect what code runs when a user installs or reinstalls the package.
The setup instructions install a mutable GitHub dependency without a pinned commit or version; that dependency is central to authentication and API calls.
pip install git+https://github.com/Woyken/py-huckleberry-api.git
Pin the dependency to a known commit or release, and review the dependency source before providing credentials.
A user may not realize from registry metadata alone that the skill needs Huckleberry account credentials.
The registry metadata under-declares the credential requirement, even though SKILL.md and scripts/hb.py disclose that Huckleberry email/password credentials are needed.
Required env vars: none Env var declarations: none Primary credential: none
Declare HUCKLEBERRY_EMAIL, HUCKLEBERRY_PASSWORD, and the optional credentials file path in the skill metadata so users see the credential need before installation.