ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

OpenStartMenuInk

v1.0.0

Automatically scans Windows start menu shortcuts and opens applications by name with fuzzy matching on user command.

0· 144·1 current·1 all-time
by@flychicks
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The declared purpose (scanning Start Menu shortcuts and opening apps) matches the requested filesystem permission and Windows-only platform. However the schema lists a 'main.ps1' and a dependency on PowerShell 7+, yet no code files are included, so the skill as packaged cannot perform its declared function without the agent or user supplying/creating scripts.
!
Instruction Scope
SKILL.md describes scanning per-user and public Start Menu directories and saving a temporary list. It does not include concrete, shipped commands or scripts; because no main script is provided the agent would need to generate or execute ad-hoc PowerShell to implement scanning/opening, increasing risk of arbitrary filesystem commands. The instructions do not request or transmit data to external endpoints, and they limit actions to Start Menu locations, which is appropriate — but the lack of an included implementation grants broad discretion to the agent.
Install Mechanism
There is no install spec and no code files to write to disk, which is low-risk. The skill is instruction-only, so nothing will be downloaded or installed by default. However the schema's 'main' reference implies an expected script that is missing.
Credentials
No environment variables or external credentials are requested (good). The schema includes a cacheFile path inside the user's AppData, which is consistent with storing a local cache, but SKILL.md describes storage as 'temporary' while the schema specifies a persistent cache path — this mismatch should be clarified. The filesystem permission is required for the documented purpose and is proportionate.
Persistence & Privilege
The skill is not marked 'always', and requires only filesystem access. The schema indicates it may write a cache file in the user's AppData, which is reasonable for caching shortcuts. Still, the packaging omits the code that would perform writes, so it's unclear what will actually be written and when; that uncertainty raises a minor persistence concern.
What to consider before installing
This skill's goal (scanning Start Menu shortcuts and opening apps) is plausible and only needs filesystem access, but the package is incomplete: the schema references a main PowerShell script (main.ps1) and a persistent cache path that are not included. Before installing or enabling it, ask the author for the missing script and review its contents. Confirm whether the cache is truly temporary or written to AppData, and ensure you are comfortable with a skill that will read your user and public Start Menu directories and create local cache files. If you do not receive the referenced script, treat the skill as incomplete — allowing an agent to generate and execute ad-hoc PowerShell to perform these actions increases risk.

Like a lobster shell, security has layers — review code before you run it.

latestvk9751p44qpe1x31cvd6jq020t18309pe

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments