ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Data Lineage Tracker

v2.1.0

Track data origin, transformations, and flow through construction systems. Essential for audit trails, compliance, and debugging data issues.

0· 3.2k·11 current·13 all-time
by@datadrivenconstruction
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description (data-lineage for construction) align with the provided Python-based classes and methods in SKILL.md. Requiring python3 is reasonable for the included Python examples and for processing CSV/Excel/JSON data. The manifest's 'filesystem' permission is consistent with reading user-provided files.
Instruction Scope
Instructions focus on processing data supplied by the user (CSV/Excel/JSON or provided file paths) and reference the Python code in SKILL.md. This stays within the stated purpose. However, the skill will read files from the filesystem (claw.json lists filesystem permission) — the instructions rely on user-supplied file paths but do not technically prevent reading other files if the agent is given broad discretion. No instructions are present that access external endpoints or request unrelated credentials.
Install Mechanism
Instruction-only skill with no install spec or runtime downloads. That lowers risk: nothing is written to disk by an installer. The python3 binary requirement is proportional to the provided code samples.
Credentials
The skill does not request environment variables, secrets, or external API keys. No unexpected credentials or config paths are declared. The lack of required env vars is coherent for an offline/local data processing helper.
Persistence & Privilege
The skill is not always-enabled and is user-invocable (normal). The manifest declares a 'filesystem' permission, which is reasonable for a file-processing tool but does increase blast radius: if the agent is allowed to run the skill autonomously, it could access files on disk. There is no evidence the skill modifies other skills or system-wide settings.
Assessment
This skill appears to do what it claims (track and record data lineage for construction data) and does not ask for credentials or external installs. Before installing: 1) Confirm you trust the publisher/homepage (source is listed as 'unknown'); 2) Be mindful that the skill requests filesystem access (it will read files you point it to) — avoid giving it access to sensitive system files or credentials; 3) Note the small metadata inconsistencies (claw.json shows version 2.0.0 while registry lists 2.1.0); consider testing the skill in a sandbox or with non-sensitive sample data first; 4) If you plan to let the agent run the skill autonomously, restrict its scope (only allow access to project folders) and monitor activity; 5) If you need stronger assurance, request the full SKILL.md and instructions be reviewed for any hidden network calls or explicit upload steps (none are present in the files reviewed).

Like a lobster shell, security has layers — review code before you run it.

latestvk9742hyhzw0d9ca4qp4denhg7h816jm5

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

✔️ Clawdis
OSmacOS · Linux · Windows
Binspython3

Comments