ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Jwdiario

v1.0.2

Buscar y obtener el texto diario de la página oficial de los Testigos de Jehová para la Librería Watchtower en español (wol.jw.org/es/). Utiliza web_fetch pa...

1· 1.8k·2 current·2 all-time
by@djismgaming
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description and included files all point to a simple web-scraper that fetches the daily text from wol.jw.org/es/. Required credentials, env vars, and config paths are absent, which is consistent with the stated purpose.
Instruction Scope
SKILL.md instructs use of 'web_fetch' to retrieve the day's page and to present the original Spanish text unmodified. The code instead shells out to curl (execSync) and strips HTML tags/normalizes whitespace before printing — this alters formatting and may not strictly preserve the original presentation. The instructions do not tell the agent to read unrelated files or secrets.
Install Mechanism
There is no install spec (instruction-only plus a single JS file). Nothing is downloaded during install; risk from install mechanism is low.
Credentials
The skill requests no environment variables, credentials, or config paths. Network access to wol.jw.org is required and expected for the stated task; no extraneous secrets are requested.
Persistence & Privilege
The skill is not forced-always, is user-invocable, and allows normal autonomous invocation. It does not request elevated or persistent system-wide privileges.
Scan Findings in Context
[child_process_execSync_usage] expected: Using a subprocess to run curl is functionally consistent with fetching a web page, but it's an unnecessary elevated operation compared to a native HTTP client and increases risk (shell injection vectors, depending on input).
What to consider before installing
This skill appears to do what it says — fetch the Spanish 'text of the day' from wol.jw.org — and it does not request credentials. However, consider the following before installing: - Implementation risk: the code runs curl via child_process.execSync. While the URL is constructed from the system date (not directly from user input), shelling out increases attack surface compared to using a native fetch/http library. Prefer a version that uses a built-in HTTP client (fetch or https) instead of execSync. - Parsing risk: the code uses a regex to extract content and strips HTML tags, which is brittle and may alter the exact presentation or miss content. That conflicts with the SKILL.md instruction to not change the text 'in any way'. - Legal/terms: scraping site content may violate the source site's terms of use; check wol.jw.org policies if that matters for your environment. If you still want to use it: review or replace the execSync/curl call with a safe HTTP fetch, and validate the parsing preserves the exact text you need. If you don't want to run subprocesses on your agent host, don't install it.
main.js:24
Shell command execution detected (child_process).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk979rq5e648ma95110qmsr5pd182vp49

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments