ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Homestruk Maintenance Triage

v1.0.0

Triage tenant maintenance requests by severity, assign priority, identify the right contractor type, estimate costs, and generate work orders. Use when a ten...

0· 60·1 current·1 all-time
byAdams Jean Baptiste@adamsjb
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name and description match the instructions (classify requests, pick contractor type, estimate cost, draft work orders). However, the skill implicitly expects a Homestruk-style workspace under ~/.openclaw (contractor roster, SOPs, work-order folder) even though no install steps, required config paths, or setup instructions are declared.
!
Instruction Scope
SKILL.md explicitly instructs the agent to read ~/.openclaw/workspace/contractors and reference ~/.openclaw/workspace/sops/* and to write work orders to ~/.openclaw/workspace-ops/work-orders/. Those file reads/writes are within the skill's stated purpose but are not declared in the skill metadata. The instructions do not call out any external network endpoints for data exfiltration, but the undeclared local file access is scope creep relative to the listed requirements.
Install Mechanism
Instruction-only skill with no install spec and no code files — lowest install risk. Nothing will be downloaded or installed by the skill itself.
Credentials
The skill requests no environment variables or credentials (which is appropriate). However, it expects access to local configuration and data under ~/.openclaw; the lack of declared config paths is an omission the user should be aware of.
Persistence & Privilege
always is false and the skill is user-invocable, which is appropriate. The runtime instructions write work-order files to the user's home directory, which is reasonable for a work-order tool but is a permanent side-effect and should be acknowledged by the user.
What to consider before installing
This skill appears to do what it says (triage and generate work orders) but it expects to read and write files in ~/.openclaw even though the manifest doesn't declare those paths. Before installing or enabling it: (1) confirm you have a trusted ~/.openclaw workspace or be prepared to review any files it creates under that directory; (2) back up your existing ~/.openclaw data so automatic writes can't overwrite important files; (3) if you want to limit file access, run the skill in a restricted/sandboxed agent environment or ask the skill author to declare required config paths and a safe install/setup procedure; (4) verify whether the agent will actually send notifications (email/SMS) or only draft messages — if it will transmit messages, confirm where those messages go and that no external endpoints are used without your consent. These steps will reduce the risk of unexpected local data access or persistent changes.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ba63am93f2dhcv97j3zpw9983ckq4

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments