ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Context Restore

v1.1.0

Skill that restores conversation context when users want to "continue where we left off". Reads compressed context files, extracts key information (recent operations, projects, tasks), and provides structured output to help users quickly resume their work.

0· 1.4k·0 current·1 all-time
by@alexunitario-sketch
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, description, SKILL.md and the included scripts (restore_context.py, project_progress.py, robustness_improvements.py, tests, and docs) align with a tool whose job is to read compressed context files, extract projects/tasks/operations and produce summaries. The repository layout and documentation consistently describe that functionality.
Instruction Scope
SKILL.md instructs the agent to read a default compressed_context/latest_compressed.json and offers a --file flag to point to other files; it also references reading MEMORY.md/highlights and provides command-line options for --auto, --check-only, --install-cron, and --telegram. Reading a compressed context file and producing summaries is in-scope, but the ability to specify arbitrary file paths (--file) and the automation options mean the tool can be used to read arbitrary files or run repeatedly unless the user constrains it.
Install Mechanism
There is no install spec in the registry metadata (instruction-only skill). The docs mention git clone and ClawHub install examples, which is normal for an open-source skill. No remote binary downloads or obfuscated installers were declared. The code is shipped in the package (scripts + docs), so there is no hidden network install step in the metadata.
Credentials
The skill declares no required env vars or credentials. However, SKILL.md and docs mention Telegram/Discord/WhatsApp integration and automatic notifications without listing tokens or webhook config in requires.env. That is an inconsistency to clarify: either the code merely formats messages (no network calls) or it expects credentials to be supplied elsewhere — verify restore_context.py and auto_context_monitor.sh for any network calls and where credentials would be read from (env, config files, or other skills).
!
Persistence & Privilege
The skill supports an --install-cron option and a Phase-3 --auto mode and ships an auto_context_monitor.sh script. Installing a cron job creates persistent scheduled execution on the host, which increases the blast radius if the script is later modified or if it exfiltrates data. This is an optional capability, but it is a privilege that warrants manual review before enabling.
What to consider before installing
What to check before installing or enabling this skill: - Review scripts/restore_context.py, scripts/auto_context_monitor.sh and any other scripts for network activity (HTTP, sockets, third‑party APIs) and for any code that reads arbitrary filesystem paths. Search for calls to requests/urllib/sockets/subprocess or explicit webhook/URL strings. - Confirm how Telegram/Discord/WhatsApp sending is implemented: if the skill will actually send messages, find where it expects tokens/webhooks and whether those are read from environment variables or a config file. The registry metadata lists no required credentials — confirm that sending cannot proceed without explicit user-provided tokens. - If you plan to use automatic monitoring (--auto) or --install-cron, inspect and test the cron script before installing it. Cron is persistent and will repeatedly execute the script; do not install it until you trust the script and its behavior. - Beware of the --file option: it can be used to point the skill at arbitrary files. Only allow paths you trust and ensure the agent's file access policy prevents accidental disclosure of sensitive files. - Because the source/homepage is 'unknown' in the registry metadata, consider running the code in a sandbox or reviewing the repository files in full before granting it execution privileges on your environment. If you want, I can (1) scan the specific script files for network calls and suspicious sinks, or (2) provide a short checklist of exact lines/strings to look for in the code to confirm there are no exfiltration paths.

Like a lobster shell, security has layers — review code before you run it.

ENvk97076942jef2s5r02ev4s1apd80mkr6ITvk97076942jef2s5r02ev4s1apd80mkr6ZHvk97076942jef2s5r02ev4s1apd80mkr6contextvk97076942jef2s5r02ev4s1apd80mkr6latestvk9711jzcc02xrw02sacdzkq0x580q5bfmemoryvk97076942jef2s5r02ev4s1apd80mkr6recoveryvk97076942jef2s5r02ev4s1apd80mkr6

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments