ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Wilma Triage

v1.0.1

Daily triage of Wilma school notifications for Finnish parents. Fetches exams, messages, news, schedules, and homework — filters for actionable items, syncs...

0· 865·0 current·0 all-time
by@aikarjal
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's required CLIs (wilma and gog) and the dependency on a wilma skill are consistent with its stated goal of fetching Wilma data and syncing calendars. However, the top-level registry metadata omitted the config paths and skill dependency that the SKILL.md declares (incoherent declarations).
!
Instruction Scope
SKILL.md instructs the agent to run wilma/gog CLI commands, read user-level config (~/.config/wilmai/config.json and gogcli app data), and to write the calendar ID to TOOLS.md and preferences to MEMORY.md. Reading/writing those persistent files and home-directory config is broader than a purely ephemeral triage run and could expose or alter other agent state; the registry did not advertise those config paths.
Install Mechanism
Instruction-only skill with no install spec — low installation risk. It relies on preinstalled CLIs/skills rather than downloading code.
!
Credentials
No environment variables are requested, which is reasonable, but SKILL.md references local credential/config files (Wilma config and gog CLI OAuth data) that are not declared in the registry metadata. The skill will access and persist data in agent-wide files (TOOLS.md, MEMORY.md), which may contain other sensitive context — this access was not fully declared.
Persistence & Privilege
The skill is not always-enabled and does not request elevated system presence. It does instruct writing to TOOLS.md and MEMORY.md (agent persistent storage) to save calendar IDs and preferences; that persistent behavior is expected for personalization but should be accepted explicitly by the user.
What to consider before installing
This skill appears to do what it says, but there are metadata and scope gaps you should verify before installing: 1) Confirm you have and trust the 'wilma' and 'gog' CLIs (and the referenced 'wilma'/'gog' skills from ClawHub) because the skill runs their commands. 2) Be aware it will read your Wilma config (~/.config/wilmai/config.json) and gog CLI app data (~/Library/Application Support/gogcli/), but those paths were not declared in the registry — ensure you are comfortable with the agent accessing those local credentials. 3) The skill will write the calendar ID to TOOLS.md and store preferences in MEMORY.md (persistent agent files) — check these files for sensitive content and accept that they will be modified. 4) Because source/homepage is unknown, consider inspecting the 'wilma' and 'gog' skill code or running the commands manually first to confirm behavior. If you are uncomfortable with the agent reading/writing config or persistent files, do not install or run until the declarations and provenance are clarified.

Like a lobster shell, security has layers — review code before you run it.

latestvk97bktghahjwrpegt80nx7rfhx818727

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binswilma, gog

Comments