Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Group Logger
v1.0.0บันทึกข้อความกลุ่ม LINE ที่มีคีย์เวิร์ดเกี่ยวกับงานลง CSV อัตโนมัติและสรุปข้อมูลเมื่อต้องการผ่าน @mention
⭐ 0· 67·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims to capture every LINE group message matching keywords, but the package declares no required environment variables, tokens, or hooks for connecting to LINE (webhook URL, CHANNEL_SECRET, CHANNEL_TOKEN, etc.). A legitimate implementation would need explicit credentials or a delivery mechanism; that is missing. The SKILL.md also hardcodes a Windows path (C:\Users\Server\.openclaw\workspace\...) which assumes the agent runs on Windows and has write access there.
Instruction Scope
Runtime instructions ask the agent to 'รับข้อความจากกลุ่ม' (receive messages) and to silently log matching messages to CSV, plus perform daily backups — but they do not describe who delivers messages to the skill, what integration is used, nor any consent/retention policy. The instructions direct read/write of specific local file paths and automatic backups, which give the skill persistent access to possibly sensitive chat content. There is no mention of limiting data retained, encryption, or access controls.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, so nothing will be written to disk by an installer. That lowers supply-chain risk. The regex scanner had no files to analyze.
Credentials
No environment variables or credentials are declared even though the feature requires continuous access to group messages (which in practice needs LINE API/webhook credentials or an agent-side forwarder). The skill therefore under-declares required secrets and access. Also it requests writing to local workspace files (logs and backups) without justifying storage/retention/encryption choices — raising privacy and exfiltration concerns.
Persistence & Privilege
The skill is not marked always:true (good) and does not require special platform privileges, but it writes persistent CSV and backup files into the agent workspace and relies on autonomous invocation behavior (logging mode triggers without an @mention). Autonomous invocation plus silent logging increases privacy risk; consider limiting invocation scope or requiring explicit forwarding of messages.
What to consider before installing
Before installing, ask the skill author to provide: (1) explicit integration details — how messages are delivered (LINE webhook, channel token), and the exact env vars required (e.g., LINE_CHANNEL_SECRET/TOKEN) so you can audit credential use; (2) an install or deployment spec if any code will run to receive webhooks; (3) confirmation the hardcoded Windows paths are intentional (or make paths configurable) and that the agent environment has appropriate permissions; (4) a data retention/encryption plan for the CSV and backups, and access controls; (5) whether group members consent to logging. If you proceed, test in a sandboxed agent, restrict the skill's invocation to only the necessary groups, store logs in an encrypted/secure location, rotate and limit retention, and require explicit opt-in for sensitive groups. The current SKILL.md under-declares required credentials and operational details, so treat it as incomplete and do not deploy it to production until those gaps are resolved.Like a lobster shell, security has layers — review code before you run it.
latestvk97eczbmga0sr1xx5aawbt476183fk2y
License
MIT-0
Free to use, modify, and redistribute. No attribution required.