ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Last Words

v1.0.0

Auto-deliver final messages to loved ones after 30 days of inactivity. Use when user wants to record a final message, configure email delivery, manage voice...

0· 54·0 current·0 all-time
byLeon Liu@dilboy
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The skill's requested capabilities (record messages, monitor chat activity, send email attachments) align with the stated purpose. It legitimately needs an SMTP account to deliver email and needs access to local OpenClaw session files to detect activity. However, the repository includes a secure_storage module for encrypting secrets but the interactive configuration flow and configure_delivery.py store SMTP credentials directly in the local SQLite database (no call to secure_storage), so the claimed 'secure storage' is not actually wired into the save path.
!
Instruction Scope
SKILL.md instructs the agent to collect SMTP authorization codes via chat and to run local scripts that save those credentials. The code then writes the SMTP password into the local SQLite DB in plaintext (configure_delivery.py -> database.save_config). The instructions claim passwords are masked in chat and stored locally only, but masking in chat does not prevent the credential from being captured in chat logs or the DB. Also, check_activity.py's warning email implementation appears to set the warning recipient to config['contact'] (the configured recipient), which means warnings intended for the user may be sent to the recipient — a surprising/incorrect behavior that could leak information to third parties.
Install Mechanism
There is no remote install/download step; the skill contains local scripts and a deploy.sh for manual remote deployment. No external, arbitrary downloads or URL-extraction installs are used. The lack of an install spec in registry metadata is fine for a script-based skill, though the package includes multiple executable scripts that will be written to disk when installed.
!
Credentials
Registry metadata declares no required env vars, but the skill requires SMTP credentials (smtp_user/smtp_pass/contact) to function. It also supports loading from a .env file and mentions LAST_WORDS_MASTER_PASSWORD / secure_storage for encryption, yet the configure path does not use secure_storage to encrypt the password. So the skill requests highly sensitive secrets (email auth code) for a plausible reason, but the handling is inconsistent and exposes those secrets locally (and potentially in chat logs).
Persistence & Privilege
The skill does not request special global privileges and isn't marked always:true. It stores data under ~/.openclaw/last-words and creates a local SQLite DB and audio files. One additional behavioral note: the debug mode enables immediate sending of messages (bypassing the 30-day wait), which increases the risk of accidental or unexpected delivery if enabled — consider auditing or disabling debug mode before configuring sensitive credentials. Autonomous invocation is allowed by default (normal), so the skill could run its daily check if installed and scheduled.
What to consider before installing
Before installing or entering credentials: 1) Treat the SMTP auth code as highly sensitive. The skill will ask for it and will store it in the local SQLite DB in plaintext by default. Although a secure_storage module exists, it is not used by the configure flow — so your credential will be stored unencrypted unless you modify the code. 2) Prefer creating a dedicated/send-only email account (or application-specific password) for this feature rather than using your primary email account. That limits blast radius if the DB is exposed. 3) Avoid pasting secrets into chat if you can. Use the --from-env path with a .env file or set environment variables and then run python3 configure_delivery.py --from-env so the credential is read from the environment file instead of being typed into the chat flow. Still be aware .env files on disk are another local secret store to protect. 4) If you need encryption: either (a) set LAST_WORDS_MASTER_PASSWORD and modify configure_delivery.py to call secure_storage.secure_store before saving smtp_pass, or (b) patch configure_delivery.py to encrypt before database.save_config — otherwise stored secrets remain plaintext. 5) Review/test the code in an isolated environment first. Note debug_mode allows immediate sends — keep debug disabled until you have validated recipients and credentials. Also confirm where warning emails go: the current implementation may send inactivity warnings to the configured 'contact' (recipient) rather than to the user, which could leak status information. 6) If you are uncomfortable with local storage of credentials or with the skill having the ability to send email autonomously, do not install it or audit and patch the credential handling first.

Like a lobster shell, security has layers — review code before you run it.

latestvk979rnde1s3vq80e0eqmvgtm3x83j0rp

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments