ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

asmr-music

v1.0.2

Provide professional ASMR music recommendations and playback services to help users achieve sleep aid, heart rate regulation, and focus enhancement through s...

0· 174·0 current·0 all-time
by@ashterry
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill is an instruction-only ASMR recommendation service and needs no binaries or credentials, which is coherent with recommending tracks and returning playback links. However, it also instructs the agent to enable a cron job (cron/jobs.json) for daily reminders despite not declaring any config-path requirements or install steps — a mild mismatch between what it claims to need and the operational steps it describes.
!
Instruction Scope
SKILL.md directs the agent to read local references/asmr_music.md (present) and to enable/disable a cron job via cron/jobs.json and openclaw cron commands. Referencing and modifying cron/jobs.json is outside the purely conversational scope of a recommendation skill and is not declared in requires.configPaths. Otherwise instructions do not request environment variables or arbitrary file access.
Install Mechanism
No install spec or code files are present (instruction-only), so nothing will be downloaded or written by an installer. This is low-risk from an installation perspective.
Credentials
The skill requests no environment variables, credentials, or configuration paths. That is proportionate for a recommendation-and-linking skill.
!
Persistence & Privilege
The skill expects to create/enable a recurring 'asmr-daily-reminder' cron job (22:00 daily). Although always:false, scheduling recurring jobs implies the agent must be able to modify cron/jobs.json or equivalent — an operation that should be confirmed and limited. The skill does not explain what permissions are required or where the job will be stored.
What to consider before installing
What to consider before installing: (1) External links — the audio links point to myxt.com and a custom URI scheme ("#小程序://…"); these are not widely known streaming hosts. Treat links as untrusted until you verify the domains and services. (2) Cron/job changes — the skill instructs enabling a daily cron job via cron/jobs.json; confirm whether the agent platform will actually grant write access to that file and whether you want a skill to schedule daily notifications. (3) No credentials required — good, but also means playback is via external links rather than an authenticated service; check the playback endpoints for safety/privacy. (4) If you plan to enable reminders, test with the job disabled and run openclaw cron run as a one-off first. To raise confidence: ask the publisher for a homepage or source repository, request clarification about exactly how/where the daily reminder is stored, and verify the myxt.com domain and the custom URI scheme before clicking playback links.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ber2h7t3gbkj3y77p9826g183yh5r

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments