ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Shopping List

v1.0.1

Conversational shopping list with categories, family sharing, and purchase history. Add items, check them off, organize by category — all through natural lan...

2· 561·3 current·3 all-time
byAjeenkya Bhatalkar@ajeenkya
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (conversational shopping list, categories, history, family sharing) match the behavior: the SKILL.md and references describe adding, editing, archiving, and persisting items in local JSON files. No unrelated credentials, binaries, or external services are requested.
Instruction Scope
Instructions direct the agent to create and manage files under skills/shopping-list/data/ (active.json, config.json, monthly history files) and to prompt the user once to set a persistent user name. This is expected for a local shopping-list skill, but note that it will persist user-provided identity and list contents on disk and will rename a corrupt active.json to active.json.corrupt if parsing fails.
Install Mechanism
No install spec and no code files to execute. This is low risk: the skill is instruction-only and will not pull external packages or download archives.
Credentials
The skill requires no environment variables, no credentials, and no config paths beyond its own data directory. Requested data storage (user name, items, history) is proportionate to the stated purpose.
Persistence & Privilege
The skill persists data locally (config.json stores a lowercased user name; active and history JSONs store list items). always:false and no cross-skill config modifications. Users should be aware data is written to disk and persisted across sessions.
Assessment
This skill appears to do exactly what it says: keep a local shopping list and history in skills/shopping-list/data/. Before installing, consider: (1) it will create and modify files in that directory and persist a chosen user name in data/config.json; (2) ensure you are comfortable storing shopping data locally in the agent environment; (3) the skill assumes the agent has permission to read/write the specified relative path and will rename corrupted active.json to active.json.corrupt — if you have sensitive files under a similarly named path, check where the agent's working directory is. There are no network calls, no credentials requested, and no install-time downloads. If you want to be extra cautious, inspect the data/ files after first use to confirm contents and location.

Like a lobster shell, security has layers — review code before you run it.

latestvk974cfymnwmr18gzj6eq9q4dks81rvr6

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments