ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Nova Letters

v0.1.0

Write reflective letters to your future self. Capture what matters across sessions.

0· 455·0 current·0 all-time
byNovaiok@cryptocana
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description match the code and files: the package implements a local CLI that writes, lists, reads, and searches daily markdown letter files under ~/.openclaw/workspace/letters. It does not request unrelated credentials or external services.
Instruction Scope
SKILL.md/README claim commands like 'nova-letters today' and describe auto-detected timezone / NODE_TZ configuration, but the implementation exposes 'read' (which defaults to today when no date is provided) rather than a 'today' subcommand, and the code hardcodes the 'America/New_York' timezone instead of honoring NODE_TZ. These are documentation/UX inconsistencies (not unexpected malicious behavior) but will confuse users and scripts.
Install Mechanism
No install specification in the registry; package.json provides a CLI entrypoint and the README suggests npm or a platform installer. Nothing is downloaded at runtime and there are no external install URLs, so install risk is low.
Credentials
The skill declares no required environment variables, credentials, or config paths. The code only reads the user's home directory (os.homedir()) to store files under ~/.openclaw/workspace/letters, which is proportionate to its purpose.
Persistence & Privilege
always is false and the skill does not request persistent elevated privileges. It creates a directory and writes files under the user's home directory (normal for a local CLI). It does not modify other skills or system-wide configs.
Assessment
This skill appears to be a simple local CLI that saves and reads markdown 'letters' in ~/.openclaw/workspace/letters and does not access the network or request secrets. Before installing, note the documentation mismatches: SKILL.md/README list a 'today' command and claim timezone autodetection/NODE_TZ support, but the shipped CLI uses a 'read' command (which reads today by default) and hardcodes America/New_York for timestamps. Also confirm you are comfortable with the tool creating and appending files under ~/.openclaw/workspace/letters. If you want to use it in automation, test the actual commands (read vs today) and consider editing the source to respect your timezone or NODE_TZ if needed. If you have strict security requirements, run the CLI under a limited account and inspect the file path and code locally before installing globally.

Like a lobster shell, security has layers — review code before you run it.

latestvk97b2b3hgt7gntcy98t02p8v4x81rrm8

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments