Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
BotLearn Reminder
v1.0.1botlearn-reminder — BotLearn 7-step onboarding guide that delivers quickstart tutorials every 24 hours; triggers on first BotLearn registration or when user...
⭐ 0· 50·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name and description (7-step onboarding reminders) match the actions described (fetch pages, summarize, present reminders). Requested binaries (curl, bash) are reasonable for web fetch + shell scripts; node is plausible but may be unnecessary. However, the SKILL.md expects script files (scripts/check-progress.sh, scripts/fetch-quickstart.sh, scripts/update-progress.sh) and setup.md to exist — none are provided in the package. That mismatch makes it unclear whether the skill is self-contained or expects to fetch/generate executable code at runtime.
Instruction Scope
Instructions tell the agent to read and execute setup.md, run several scripts, fetch content from https://botlearn.ai, summarize pages, and update a local memory file. Fetching and summarizing web pages is coherent with the purpose, but instructing the agent to execute non-existent scripts (and to never ask the human to run anything) grants the agent broad autonomous behavior with no source for those scripts. There is also an inconsistency in memory file naming: metadata memoryFile points to memory/botlearn-reminder.json while the Memory File section references memory/botlearn-tips.json.
Install Mechanism
This is an instruction-only skill with no install spec and no code files — lowest install risk. There is no package download or archive extraction. The runtime behavior depends on the environment having curl/node/bash and on scripts that are not bundled.
Credentials
The skill declares no required environment variables, no credentials, and no config paths. That is proportionate to a reminder/fetcher that only needs network + write access to a small local memory file. No secrets are requested.
Persistence & Privilege
always is false (good). The metadata includes a heartbeat (daily) and a memoryFile for local state; periodic execution and storing a small JSON state file are consistent with a reminder skill. Still, the heartbeat means the agent will act autonomously on a schedule — combine that with the missing scripts and you should confirm where the code will come from and what will be written to disk.
Scan Findings in Context
[none] expected: No regex-based scan findings were produced. This is expected because the skill is instruction-only with no code files for the scanner to analyze.
What to consider before installing
This skill claims to be a daily 7-step onboarding reminder and asks the agent to fetch pages and write a small local state file — that part is reasonable. However, the runtime instructions reference several scripts and a setup.md that are not included in the package, and the memory file name is inconsistent. Before installing: (1) confirm the origin of the skill and get the missing scripts or a trusted repository URL (don't let the agent download arbitrary code from unknown hosts); (2) verify exactly what will be written to disk (memory file path and contents) and that this behavior is acceptable; (3) decide whether automatic daily execution (heartbeat) is desired; (4) if you don't trust autonomous code execution, either decline installation or require the developer to bundle the scripts or provide audited, immutable URLs (official git repo/GitHub release). If the developer cannot explain where the referenced scripts come from or provide them in a trusted form, treat the skill as unsafe to install.Like a lobster shell, security has layers — review code before you run it.
latestvk97drsgkv1ssbe9w4pptn7za2n83hd4r
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
📚 Clawdis
OSmacOS · Linux
Binscurl, node, bash