ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Duolingo Tracker

v0.1.0

Fetch and display Duolingo learning stats: streak, XP, league, level, course progress, and daily/weekly summaries. Use this skill whenever the user asks abou...

0· 72·0 current·0 all-time
byThe Mooorish@elmoorish
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Skill name/description match the runtime instructions: it queries Duolingo web endpoints to retrieve streak, XP, courses, and leaderboard info. However, the declared required binaries include python3 even though SKILL.md only demonstrates curl/bash usage — python3 appears unnecessary.
Instruction Scope
SKILL.md limits actions to Duolingo web endpoints and describes a manual one-time step to copy the jwt_token cookie from the browser. It does not instruct the agent to read unrelated files, system configs, or other environment variables.
Install Mechanism
No install spec or code files are present (instruction-only), so nothing is written to disk by the skill itself — this is low-risk from an installation perspective.
!
Credentials
The only sensitive credential referenced in SKILL.md is DUOLINGO_JWT, which is appropriate for private Duolingo data. However, the registry metadata shows a corrupted/ambiguous 'Required env vars: [object Object]' entry (metadata integrity issue). Also the optional DUOLINGO_JWT is sensitive and users must be cautioned not to paste it into chat or logs.
Persistence & Privilege
Skill is not always-enabled and is user-invokable; it does not request persistent system-wide privileges or configuration changes.
What to consider before installing
This skill is mostly coherent for its stated purpose, but a few issues warrant caution: - Metadata/manifest problems: the registry shows 'Required env vars: [object Object]' which looks like a serialization bug — ask the publisher or inspect the source to confirm the exact env requirements before proceeding. - Unnecessary requirement: the skill declares python3 as required but the instructions only show curl/bash usage. Ask why python3 is listed or prefer a version that omits it. - Sensitive token: full/private stats require your browser jwt_token (DUOLINGO_JWT). Treat this like a password: do not paste it into public chat, logs, or third-party services. Use the unauthenticated endpoints (public profile) if you don't want to share the token. - Source provenance: the skill has unknown source and no homepage. Prefer skills from known maintainers or that include source code you can inspect. - Operational notes: endpoints used are Duolingo domains (including a leaderboards domain) — verify those exact domains if you have concerns. If you ever suspect compromise, revoke sessions from your Duolingo account (logout everywhere) to invalidate the JWT. Before installing or enabling this skill, ask the publisher for the source code or a clear explanation why python3 is required and request corrected registry metadata. If you must provide DUOLINGO_JWT, consider creating a throwaway account or limit sharing to local, trusted environments only.

Like a lobster shell, security has layers — review code before you run it.

latestvk970me827k7311p72pjp2ptnrh83dje2

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binscurl, python3
Env[object Object]

Comments