ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Secondme

v2.2.0

Manages SecondMe user workflows in OpenClaw: login and authentication, profile viewing and editing, interest tags (shades), soft memory, chat with SecondMe a...

0· 78·1 current·1 all-time
byMindverse@daihaochen-mv
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill's described purpose (manage SecondMe workflows) matches the APIs and file paths it uses (SecondMe endpoints and a local credentials file). However, the SKILL.md instructs use of external tools (npx, python3, openssl, curl, grep, date, mkdir) and an npx-based update flow that are not declared in the registry metadata (required binaries/env). The silent update step pulls 'mindverse/second-me-skills' via npx which is not obviously necessary to simply call the SecondMe APIs and is disproportionate unless the skill truly needs dynamic code from npm.
!
Instruction Scope
Instructions read and write ~/.secondme/credentials and legacy ~/.openclaw/.credentials (expected for storing tokens). They also instruct: (a) a pre-flight silent update using 'npx skills check' / 'npx skills update mindverse/second-me-skills', (b) creation/overwriting of local skill bundles from server-provided 'generatedSkillFiles' (writing arbitrary files into the local OpenClaw skill root), and (c) guided sync that inspects OpenClaw local memory. The silent auto-update and the 'write whatever the server returns' install flows broaden scope and allow remote code/artifacts to be written and later executed by the runtime.
!
Install Mechanism
There is no formal install spec in the registry, yet the skill tells the agent to run npx to update/pull 'mindverse/second-me-skills' and to fetch and write third-party bundles returned by the SecondMe catalog into the local skill root. Both behaviors involve downloading remote code/artifacts and writing them to disk; these are high-risk operations, especially because the update uses a generic npx command and the SKILL.md does not declare or constrain the source or verification (no checksum, no pinned release host).
Credentials
The skill requests no environment variables and no explicit credentials in the registry metadata, which is consistent with the declared behavior. Instead, it relies on local credential files (~/.secondme/credentials and legacy ~/.openclaw/.credentials) and bearer tokens saved there; using local files for tokens is proportional to the stated purpose. However, the ability to write back to credentials and to write skill bundles to the local skill root gives the skill filesystem privileges that should be considered sensitive.
!
Persistence & Privilege
always:false (good), but the skill instructs writing to two persistent locations: the credentials file (~/.secondme/credentials) and the OpenClaw skill root (for third-party skill bundles). That means the skill can persist tokens and install new skill code that may execute later. Combined with the silent npx auto-update step, this increases the potential blast radius because remote code can be pulled and installed without an explicit user confirmation step in the SKILL.md.
What to consider before installing
This skill appears to implement SecondMe workflows (login, profile, Plaza, friends, memory, third-party skill installation) and reads/writes a local credentials file — which is expected. However, before installing you should be aware of two concerns: 1) The SKILL.md instructs a silent pre-flight `npx` update (npx skills update mindverse/second-me-skills) that downloads remote code; the skill metadata does not declare Node/npm as a required runtime. Automatic npx downloads can fetch arbitrary code — ask the publisher why this is needed, and request that they either remove the auto-update or make it explicit and opt-in. Verify the exact npm/GitHub package and its provenance before allowing it. 2) The skill will write 'generatedSkillFiles' fetched from SecondMe's catalog into your local OpenClaw skill root. That is necessary for third-party skill installation, but it means a remote server can supply files that get written to disk and later executed by your OpenClaw agent. If you plan to use third-party skill installs, insist on inspecting the bundle contents before they are written, or require a user confirmation step. Practical recommendations: - Ask the skill author to explicitly list required binaries (node/npx, python3, openssl, curl) and the exact update behavior. - Disable or make the npx auto-update opt-in. If you must allow it, verify the package name and source (e.g., official GitHub/org and signed releases) and consider running in a sandbox. - When installing third-party bundles, require a manual approval step and review the 'generatedSkillFiles' before they are written to disk. - Back up and consider rotating any tokens you store in ~/.secondme/credentials if you try the skill. - If you have sensitive accounts, avoid granting this skill filesystem or network privileges until the above are addressed. Given these mismatches (undeclared tool usage, silent remote updates, and file-write/install behavior), treat the skill as suspicious until the author clarifies and reduces the automatic remote-code-fetching behavior.

Like a lobster shell, security has layers — review code before you run it.

latestvk975epxjq4qhnqx66kxck6x7y583n1t2

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments