ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Medication Reminder

v3.0.0

Track medications with dosing schedules and intake history. Use when managing prescriptions.

0· 383·2 current·2 all-time
by@bytesagain1
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the provided files and runtime instructions. The script implements add/list/take/history/schedule/due and stores data under ~/.local/share/medication-reminder — this is coherent for a local medication tracker. No unrelated credentials, binaries, or cloud services are requested.
Instruction Scope
SKILL.md instructs the agent to run the included shell script only; it references only the local data directory. There are no instructions to access system-wide secrets or external endpoints. Note: the skill stores potentially sensitive health data on disk in plaintext under the user's home directory — that is a privacy consideration (not a hidden behavior).
Install Mechanism
No install spec; this is instruction-only with a bundled script. Nothing is downloaded or written to unexpected system locations beyond the declared ~/.local/share/medication-reminder data dir.
Credentials
The skill requests no environment variables or credentials. It uses $HOME for a local data directory, which is reasonable and proportionate for a local tracker.
Persistence & Privilege
always is false and model invocation is standard; the skill does not modify other skills or system-wide config. It only creates its own data directory and files under the user's home.
Assessment
This skill appears to be a simple, local medication tracker and is coherent with its description. Before installing, review and consider: (1) Privacy — it stores health data in plaintext at ~/.local/share/medication-reminder; if that is sensitive, run it in a restricted account, encrypt the directory, or modify the script to use encrypted storage. (2) Minor bugs and robustness — the script uses unquoted variable expansions when building JSON and when redirecting, which can break with unusual medication names (spaces, quotes) and may produce malformed JSON; it also prints literal 'Added $2' messages due to quoting. If you plan to use it long-term, consider hardening: quote expansions, validate/sanitize inputs, use a JSON library (jq) or printf to build safe JSON, and add error handling for concurrent writes. (3) Run in a sandbox or inspect the script locally before invoking, as with any third-party script. No network/credential exfiltration was observed.

Like a lobster shell, security has layers — review code before you run it.

latestvk972j9kmtha3a1jz63ee89nv5h837vcfproductivityvk97ft3ma78vse5b4kb7bphb9xh82rdza

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments