Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Scribe
v1.0.0Scans OpenClaw logs, config files, chat history, cursor history, behavior, desires, tastes, and drafts to take comprehensive daily and weekly notes with summ...
⭐ 0· 359·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (Scribe — comprehensive note-taking) matches the actions the skill performs: scanning logs, openclaw.json, Cursor SQLite DBs, memory and draft files and producing Markdown/JSON notes. There are no unrelated environment variables or external binaries declared, so capability requests are broadly coherent with the stated purpose.
Instruction Scope
SKILL.md explicitly instructs the agent (and the user) to read many user-local files and directories (e.g., ~/.openclaw/logs/*.log, ~/.openclaw/openclaw.json, Cursor's state.vscdb in the user Library path, workspace memory and drafts). While this is consistent with producing comprehensive notes, those instructions allow aggregation of very sensitive data (configuration that may contain tokens, chat transcripts, draft content, memory/behavior files). The SKILL.md also suggests cron integration which would automate repeated access to those sources.
Install Mechanism
No install spec is provided (instruction-only skill with a bundled script). That is lower-risk than a remote download/install, but the package includes a local Python script (scripts/scribe.py) that will be executed — there is executable code on disk with no declared provenance (git clone URL in README is a generic placeholder).
Credentials
The skill requires no environment variables, which is good, but it reads configuration files (openclaw.json) and Cursor DBs that commonly contain credentials, API keys, or private conversation history. Requesting broad filesystem access to aggregate these items is proportionate to a 'comprehensive scribe' only if the user expects that degree of access; otherwise it is high-risk. The skill does not declare where (if anywhere) collected data might be sent, so local aggregation could become an exfiltration target if the code is modified.
Persistence & Privilege
The skill does not request always:true and does not declare modifying other skills or system-wide agent settings. It writes output into workspace/Notes/* by design. The README shows an example cron job, but scheduling is optional and not enforced by the skill metadata.
What to consider before installing
Before installing or running Scribe: (1) Inspect scripts/scribe.py fully for any network activity (HTTP requests, sockets, remote endpoints, encoded/obfuscated strings) or subprocess calls that could exfiltrate data. Grep for modules like requests, urllib, socket, subprocess, or any hard-coded URLs. (2) Review your ~/.openclaw/openclaw.json and Cursor DBs to confirm they don't contain secrets you don't want aggregated; if they do, remove or rotate them first. (3) Run the script in an isolated environment or with --openclaw-home pointing to a copy of your data to see what it reads and what it writes. (4) If you plan to automate via cron, prefer running against a sanitized copy or explicitly restrict the openclaw-home path. (5) If the repository provenance (author, homepage, repo URL) is not verifiable, treat the included code as untrusted. What would change this assessment: discovering any network exfiltration (hard-coded remote endpoints, encrypted outbound traffic, or subprocesses that call external services) or obfuscated/encoded payloads would raise the severity toward malicious; a trusted upstream repository and an explicit statement that config files do not contain secrets (or that secrets are filtered) would increase confidence toward benign.Like a lobster shell, security has layers — review code before you run it.
latestvk9775989zaj69wh68x6exhg47d820602
License
MIT-0
Free to use, modify, and redistribute. No attribution required.