ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

OPC Journal

v2.5.2

OPC200 Journal - A CLI-style single skill for One Person Company growth tracking. Record entries, analyze patterns from dreams/memory, detect milestones, and...

0· 89·1 current·1 all-time
by@coidea
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (local CLI journal, analysis, milestones, insights) align with the included command modules: read/write/search/archive/analyze/insights/task persistence under a per-customer directory. No unrelated cloud credentials or binaries are requested.
Instruction Scope
SKILL.md and the visible command code focus on local file I/O and returning raw structured data to the caller (LLM). This is coherent, but the skill intentionally returns raw journal text and signal counts to the caller — a privacy-sensitive action (exposes potentially very sensitive personal data to the calling LLM). Also, some commands (insights/analyze) include keyword regexes (e.g., 'burnout', 'overwhelm') which surface mental-health-related signals; the code claims not to draw conclusions, but it does surface sensitive indicators for an LLM to interpret.
Install Mechanism
No install spec; instruction-only/CLI files are present and nothing will be downloaded or injected during install. This is the lowest install risk.
Credentials
No environment variables, credentials, or config paths are declared or required. However, several utility files referenced by the commands (utils/storage.py, utils/task_storage.py, utils/timezone.py) were omitted from the provided content — those could legitimately access environment variables, external paths, or networking. The lack of declared env vars is appropriate for the stated purpose, but missing utility files prevent a complete verification.
Persistence & Privilege
Skill is not always-enabled, does not request elevated system privileges, and appears to confine its I/O to a per-customer directory under the user's home. It does not modify other skills or global agent settings.
What to consider before installing
This skill behaves like a local journal CLI and most visible code is consistent with that claim, but you should do two quick checks before installing or running it with real data: (1) Inspect the omitted utility files (utils/storage.py, utils/task_storage.py, maybe timezone) to confirm they do not perform any network calls, invoke unexpected binaries, or read unrelated system paths or environment variables. (2) Confirm that build_customer_dir and related storage functions properly sanitize customer_id and constrain files under a safe directory (e.g., ~/.openclaw/customers/...), to avoid path traversal or writing outside the intended area. Also be aware that analyze/insights return raw journal contents and signal counts to the calling LLM — this is expected for the skill but is a privacy risk if you don't trust the agent/LLM. If you cannot inspect the omitted files or do not want journal contents exposed to an LLM/agent, do not install or run this skill with real personal data.

Like a lobster shell, security has layers — review code before you run it.

emotionvk975esq50gzrscwjr8qz20ceg184raz6insidervk975esq50gzrscwjr8qz20ceg184raz6journalvk975esq50gzrscwjr8qz20ceg184raz6latestvk975esq50gzrscwjr8qz20ceg184raz6one person companyvk975esq50gzrscwjr8qz20ceg184raz6patternvk975esq50gzrscwjr8qz20ceg184raz6

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📔 Clawdis

Comments