Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Knowledge Gaps
v1.0.0Track questions Hans failed to answer and flag missing knowledge
⭐ 0· 140·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's stated purpose is to log unanswered questions. That could legitimately require a logger script or write access to a log file, but the skill declares no binaries, no files, and ships no code. The SKILL.md commands require python3 ./scripts/log-knowledge-gap.py, which is not provided nor declared — this is a capability mismatch.
Instruction Scope
The runtime instructions explicitly demand executing a local script (exec python3 ./scripts/log-knowledge-gap.py) and only then responding. This forces the agent to run arbitrary local code if present and to rely on the script's exact output. The skill does not include the script, does not specify where knowledge-gaps.md lives, and prohibits the agent from 'hallucinating' the action, leaving ambiguous behavior if the script is absent.
Install Mechanism
There is no install spec and no bundled code, which minimizes supply-chain risk. However, because the instructions call out to a local script, the absence of an install step means the skill expects the execution environment to already contain that script — a gap that raises operational risk but is not an install-spec issue.
Credentials
The skill requests no credentials or environment variables, which is proportionate. But it invokes python3 without declaring it as a required binary and directs creation/reading of knowledge-gaps.md (not declared as a config path). This mismatch could cause the agent to execute or read unexpected local files.
Persistence & Privilege
always is false and the skill is user-invocable, so it doesn't demand elevated persistent presence. It does, however, instruct writing to a local log file (knowledge-gaps.md) and executing a script — a modest persistence footprint that is coherent for logging, but the lack of explicit file paths and absent script means the behavior is underspecified.
What to consider before installing
This skill tells the agent to run a local Python script (./scripts/log-knowledge-gap.py) and only then tell the user the question was saved. But the skill package contains no script, doesn't declare python3 as a required binary, and doesn't specify where the log file lives. Before installing: (1) confirm the logger script exists in the agent environment and review its source — do NOT let the agent execute an unreviewed script; (2) if you expect the skill to provide the script, ask the author to include it and to declare python3 as a requirement, or change the instructions to use a safe, auditable logging API; (3) ensure the log file path is explicit and that writing to it is acceptable for your security policy. If you can't review or control the script, treat this skill as risky and avoid enabling it.Like a lobster shell, security has layers — review code before you run it.
latestvk97bqas7fvg5pjnwggrt4b5w2x83432e
License
MIT-0
Free to use, modify, and redistribute. No attribution required.