ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Commitment Engine

v1.0.0

小梦的承诺引擎——将口头任务转化为可追踪的定时承诺,确保到点执行、不遗漏、不等人催。

0· 62·1 current·1 all-time
by@dottythehomeless
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name and description (convert spoken tasks into scheduled, trackable commitments) align with the instructions: creating workspace/commitments.md, treating tasks as one-time/recurring, and registering cron jobs for hard triggers are coherent with the stated purpose.
!
Instruction Scope
SKILL.md mandates reading and writing a commitments.md file and writing to '当日 memory' on every state change, and requires the heartbeat to run commitments checks as its first action (preempting other checks). Those are broad runtime obligations that touch persistent agent state and core event flow; the skill does not limit what it may write into memory or commitments.md, nor does it declare safeguards for sensitive content.
Install Mechanism
Instruction-only skill with no install steps or downloads — lowest risk from code-install perspective.
Credentials
No environment variables or external credentials are requested, which is appropriate. However, the instructions rely on persistent agent storage (workspace/commitments.md and '当日 memory') and the platform cron mechanism; those storage and scheduling accesses are not declared in the skill metadata and may expose or persist user content unexpectedly.
!
Persistence & Privilege
The skill does not request always:true, but it requires that its check run as the very first heartbeat action and that state changes be immediately persisted to memory and file. This effectively elevates its runtime priority and can alter agent behavior platform-wide; users should be aware this preemption can interfere with other skills or workflows.
What to consider before installing
This skill appears to implement a legitimate commitment tracker, but it makes operational demands that affect agent core behavior: it writes a commitments.md file and instructs the agent to write into 'today's memory' on every change, and it requires its check to run before other heartbeat actions. Before installing, ask: (1) Where is '当日 memory' stored, who can read it, and how long is it retained? (2) Will commitments.md live only inside the skill's workspace, or could its content be exported/shared? (3) Can you opt out or disable the heartbeat preemption if it interferes with other skills? (4) Does registering cron jobs require additional permissions? If you can't get clear answers, test in a sandboxed agent account and avoid adding sensitive content to commitments until storage/retention/access controls are confirmed.

Like a lobster shell, security has layers — review code before you run it.

latestvk9799w1m9mwzjb1efp37cffavd83z0v7

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments