Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Order Tracker

v1.0.0

Track and manage sales orders with status updates, notifications, and dashboard reporting. Supports order creation, status transitions (pending/confirmed/shi...

⭐ 0· 122·0 current·0 all-time

byJaden's built a claw@cjboy007

MIT-0

Download zip

LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.

Security Scan

VirusTotal

Suspicious

View report →

OpenClaw

Suspicious

medium confidence

ℹ

Purpose & Capability

The code implements order dashboard, status updates, and email notifications consistent with the declared purpose. However, the runtime instructions and code implicitly require SMTP credentials (for sending emails) that are not declared in the skill metadata (requires.env is empty). The README and SKILL.md point the SMTP config at a different skill's .env (imap-smtp-email), which is reasonable for email but is not reflected in the declared requirements.

Instruction Scope

Instructions and scripts operate on local data files (data/orders.json), write backups and logs (logs/status-changes.log, logs/notifications.log), and load an external .env at ../../imap-smtp-email/.env via dotenv. The notification script will connect to an external SMTP server (network I/O) and send email content. The update script accepts --orders-file and --schema-file flags allowing it to read/write arbitrary paths supplied by the caller. The agent instructions are precise but grant the runtime ability to read another skill's credentials file and modify local files — that cross-skill file access and arbitrary path support are scope concerns.

✓

Install Mechanism

No install spec in the registry; this is an instruction-only skill with Node.js scripts and a package.json. Dependencies are limited to dotenv and nodemailer (both present in package-lock.json) and are reasonable for this functionality. No network downloads or archive extraction are used by the skill itself.

Credentials

The skill requires SMTP_HOST/SMTP_USER/SMTP_PASS (and related SMTP_* envs) at runtime to send emails — createTransporter throws if they are missing — but the registry metadata lists no required environment variables or primary credential. Instead the code loads those values from a relative .env file belonging to another skill (imap-smtp-email). Requesting access to another skill's .env without declaring this dependency is disproportionate and should be explicit. Storing SMTP credentials in a sibling skill's .env is a cross-skill secret access pattern the user should verify.

✓

Persistence & Privilege

The skill does not request always:true or other elevated platform privileges. It persists data only to local files inside the skill directory by default (data/, logs/, .bak). The scripts create backups and logs, and will modify orders.json when run (unless --dry-run). This is expected for a CLI order manager; however, the ability to specify custom orders-file paths means it can be used to overwrite other files if invoked with arbitrary paths (caller-controlled), so exercise normal caution when running with elevated context.

What to consider before installing

What to check before installing/using this skill: - SMTP credentials: send-order-notification.js loads SMTP config from ../../imap-smtp-email/.env. Confirm you have (or want to provide) SMTP_HOST/SMTP_USER/SMTP_PASS and related settings, and that you trust the imap-smtp-email skill and its .env file location. The skill metadata does not declare these env vars — treat this as a manual dependency. - File writes: update-order-status.js will modify data/orders.json (creates a .bak) and append to logs/status-changes.log. Run with --dry-run first and inspect the backup before letting it write in production. - Arbitrary paths: both update and notification scripts accept --orders-file to point to any path; only run these scripts as a user who controls the supplied file paths. Avoid running them as a privileged user or from automated agents with access to sensitive directories. - Email behavior: the notification script will connect to the SMTP host and send emails with order content (customer names/emails/order details). Verify you want these messages sent from the configured SMTP account. - Origin and trust: source/homepage are unknown. The code is readable and unsurprising, but the skill accesses another skill's .env and does network I/O. If you plan to use it, review the imap-smtp-email .env contents, run smoke tests in the repo (smoke-test.sh uses dry-run), and consider running in an isolated workspace or container first.

Like a lobster shell, security has layers — review code before you run it.

latestvk976pnevtw7rnmxj3s1qkqwmbs83qbqf

License

MIT-0

Free to use, modify, and redistribute. No attribution required.

Termshttps://spdx.org/licenses/MIT-0.html

Order Tracker

License

Comments